deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-tea-CI-115131

Browse Source
This commit is contained in:
Teresa-Motiv 2020-03-18 09:24:15 -07:00
commit 69ed955cc0
40 changed files with 461 additions and 652 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.openpublishing.redirection.json
View File

@ -1,6 +1,11 @@
{
"redirections": [
{
"source_path": "security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
"redirect_document_id": true
},
{
"source_path": "devices/hololens/hololens-whats-new.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes",
"redirect_document_id": true
@ -15577,6 +15582,11 @@
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/licensing.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment",
"redirect_document_id": true
},
{
"source_path": "windows/release-information/status-windows-10-1703.yml",
"redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center",
"redirect_document_id": true

2
devices/hololens/hololens-FAQ.md
View File

@ -207,7 +207,7 @@ You can pair other Bluetooth HID and GATT devices together with your HoloLens. H
Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Individial apps may support additional clicker gestures.
If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#pair-the-clicker).
If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#hololens-1st-gen-pair-the-clicker).
If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again.

3
devices/hololens/hololens-calibration.md
View File

@ -33,7 +33,8 @@ HoloLens 2 prompts a user to calibrate the device under the following circumstan
- The user previously opted out of the calibration process
- The calibration process did not succeed the last time the user used the device
- The user has deleted their calibration profiles
- The visor is raised and the lowered and any of the above circumstances apply (this may be disabled in **Settings > System > Calibration**.)
- The device is taken off and put back on and any of the above circumstances apply
![Calibration prompt](./images/07-et-adjust-for-your-eyes.png)

56
devices/hololens/hololens-connect-devices.md
View File

@ -8,7 +8,7 @@ author: Teresa-Motiv
ms.author: v-tea
ms.topic: article
ms.localizationpriority: high
ms.date: 09/13/2019
ms.date: 03/11/2020
manager: jarrettr
appliesto:
- HoloLens (1st gen)
@ -19,56 +19,58 @@ appliesto:
## Pair Bluetooth devices
Pair a Bluetooth mouse and keyboard with HoloLens, then use them to interact with holograms and to type anywhere you'd use the holographic keyboard.
Classes of Bluetooth devices supported by HoloLens 2:
HoloLens 2 supports the following classes of Bluetooth devices:
- Mouse
- Keyboard
- Bluetooth audio output (A2DP) devices
Classes of Bluetooth devices supported by HoloLens (1st gen):
HoloLens (1st gen) supports the following classes of Bluetooth devices:
- Mouse
- Keyboard
- HoloLens (1st gen) clicker
> [!NOTE]
> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may appear as available in HoloLens settings, but aren't supported on HoloLens (1st gen). [Learn more](https://go.microsoft.com/fwlink/p/?LinkId=746660).
> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may be listed as available in HoloLens settings. However, these devices aren't supported on HoloLens (1st gen). For more information, see [I'm having problems pairing or using a Bluetooth device](hololens-FAQ.md#im-having-problems-pairing-or-using-a-bluetooth-device).
### Pair a Bluetooth keyboard or mouse
1. Turn on your keyboard or mouse and make it discoverable. The way you make it discoverable depends on the device. To learn how to do this, check the device or visit the manufacturer's website.
1. Turn on your keyboard or mouse, and make it discoverable. To learn how to make the device discoverable, look for information on the device (or its documentation) or visit the manufacturer's website.
1. Use the bloom gesture (HoloLens (1st gen) or the start gesture (HoloLens 2) to go to **Start**, then select **Settings**.
1. Select **Devices** and make sure that Bluetooth is on. When you see the device name, select **Pair** and follow the instructions.
1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings**.
1. Select **Devices**, and make sure that Bluetooth is on.
1. When you see the device name, select **Pair**, and then follow the instructions.
### Pair the clicker
### HoloLens (1st gen): Pair the clicker
> Applies to HoloLens (1st gen) only.
1. Use the bloom gesture to go to **Start**, then select **Settings**.
1. Select **Devices** and make sure that Bluetooth is on.
1. Use the tip of a pen to press and hold the clicker's pairing button until the status light blinks white. Make sure to hold the button down until the light starts blinking. [Where's the pairing button?](hololens1-clicker.md)
1. Use the bloom gesture to go to **Start**, and then select **Settings**.
1. Select **Devices**, and make sure that Bluetooth is on.
1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking.
The pairing button is on the underside of the clicker, next to the finger loop.
![The pairing button is beside the finger loop](images/use-hololens-clicker-1.png)
1. On the pairing screen, select **Clicker** > **Pair**.
## Connect USB-C devices
## HoloLens 2: Connect USB-C devices
> Applies to HoloLens 2 only.
HoloLens 2 lets you connect a wide range of USB-C devices.
HoloLens 2 supports the following devices classes:
HoloLens 2 supports the following classes of USB-C devices:
- Mass storage devices (such as thumb drives)
- Ethernet adapters (including ethernet with charging)
- USB-C to 3.5mm digital audio adapters
- USB-C digital audio headsets (including headset adapters with charging)
- Ethernet adapters (including ethernet plus charging)
- USB-C-to-3.5mm digital audio adapters
- USB-C digital audio headsets (including headset adapters plus charging)
- Wired mouse
- Wired keyboard
- Combination PD hubs (USB A + PD charging)
- Combination PD hubs (USB A plus PD charging)
## Connect to Miracast
Use Miracast by opening the **Start** menu and selecting the display icon or saying "Connect" while gazing at the **Start** menu. Choose an available device from the list that appears and complete pairing to begin projection.
To use Miracast, follow these steps:
1. Do one of the following:
- Open the **Start** menu, and select the display icon.
- Say "Connect" while you gaze at the **Start** menu.
1. On the list of devices that appears, select an available device.
1. Complete the pairing to begin projecting.

58
devices/hololens/hololens2-language-support.md
View File

@ -7,7 +7,11 @@ author: Teresa-Motiv
ms.author: v-tea
ms.topic: article
ms.localizationpriority: medium
ms.date: 9/12/2019
ms.custom:
- CI 115225
- CSSTroubleshooting
keywords: localize, language support, display language, keyboard language, IME, keyboard layout
ms.date: 03/12/2020
audience: ITPro
ms.reviewer: jarrettr
manager: jarrettr
@ -17,7 +21,7 @@ appliesto:
# Supported languages for HoloLens 2
HoloLens 2 supports the following languages, including voice commands and dictation features, keyboard layouts, and OCR recognition within apps.
HoloLens 2 is localized into the following languages. The localization features include speech commands and dictation, keyboard layouts, and OCR recognition within apps.
- Chinese Simplified (China)
- English (Australia)
@ -31,43 +35,43 @@ HoloLens 2 supports the following languages, including voice commands and dictat
- Japanese (Japan)
- Spanish (Spain)
HoloLens 2 is also available in the following languages. However, this support does not include speech commands or dictation features.
HoloLens 2 also supports the following languages. However, this support does not include speech commands or dictation features.
- Chinese Traditional (Taiwan and Hong Kong)
- Dutch (Netherlands)
- Korean (Korea)
## Changing language or keyboard
The setup process configures your HoloLens for a region and language. You can change this configuration by using the **Time & language** section of **Settings**.
> [!NOTE]
> Your speech and dictation language depends on the Windows display language.
## To change the Windows display language
1. Go to the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
2. Select **Windows display language**, and then select a language.
If the supported language youre looking for is not in the menu, follow these steps:
1. Under **Preferred languages** select **Add a language**.
2. Search for and add the language.
3. Select the **Windows display language** menu again and choose the language you added.
The Windows display language affects the following settings for Windows and for apps that support localization:
Some features of HoloLens 2 use the Windows display language. The Windows display language affects the following settings for Windows and for apps that support localization:
- The user interface text language.
- The speech language.
- The default layout of the on-screen keyboard.
## To change the keyboard layout
## Change the language or keyboard layout
To add or remove a keyboard layout, open the **Start** menu and then select **Settings** > **Time & language** > **Keyboard**.
The setup process configures your HoloLens for a specific region and language. You can change this configuration by using the **Time & language** section of **Settings**.
> [!NOTE]
> Your speech and dictation language depends on (and is the same as) the Windows display language.
### To change the Windows display language
1. Open the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
2. Select **Windows display language**, and then select a language.
If the supported language that you're looking for is not in the menu, follow these steps:
1. Under **Preferred languages**, select **Add a language**.
2. Locater and add the language.
3. Select the **Windows display language** menu again, and then select the language that you added in the previous step.
### To change the keyboard layout
To add or remove a keyboard layout, open the **Start** menu, and then select **Settings** > **Time & language** > **Keyboard**.
If your HoloLens has more than one keyboard layout, use the **Layout** key to switch between them. The **Layout** key is in the lower right corner of the on-screen keyboard.
> [!NOTE]
> [!NOTE]
> The on-screen keyboard can use Input Method Editor (IME) to enter characters in languages such as Chinese. However, HoloLens does not support external Bluetooth keyboards that use IME.
>
> While you use IME with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press ~.
>
> While you use IME together with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press the tilde character button (**~**).

8
devices/surface-hub/device-reset-surface-hub.md
View File

@ -90,7 +90,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
1. Use the power switch to turn the Surface Hub back on. The device starts and displays the Surface Hub Logo screen. When you see spinning dots under the Surface Hub Logo, use the power switch to turn the Surface Hub off again.
1. Repeat step 3 three times, or until the Surface Hub displays the “Preparing Automatic Repair” message. After it displays this message, the Surface Hub displays the Windows RE screen.
1. Repeat step 3 three times, or until the Surface Hub displays the "Preparing Automatic Repair" message. After it displays this message, the Surface Hub displays the Windows RE screen.
1. Select **Advanced Options**.
@ -115,6 +115,12 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
![downloading 97&](images/recover-progress.png)
When the download finishes, the recovery process restores the Surface Hub according to the options that you selected.
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
## Related topics

13
devices/surface-hub/miracast-troubleshooting.md
View File

@ -21,13 +21,13 @@ In traditional Miracast, the projecting device will connect the access point set
- The first step is an initial connection using 2.4GHz.
- After that initial handshake, the projecting device sends traffic to the monitor using the wireless channel settings on the monitor. If Surface Hub is connected to a Wi-Fi network, the access point, it will use the same channel as the connected network, otherwise it will use the Miracast channel from Settings.
There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hubs location. Running a network scanning tool will show you the available networks and channel usage in the environment.
There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub's location. Running a network scanning tool will show you the available networks and channel usage in the environment.
## Connect issues
Ensure both Wi-Fi and Miracast are both enabled in Settings on Surface Hub.
If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hubs Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub.
If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub's Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub.
When Surface Hub is connected to a Wi-Fi network it will use the same channel settings as the Wi-Fi access point for its Miracast access point. For troubleshooting purposes, disconnect Surface Hub from any Wi-Fi networks (but keep Wi-Fi enabled), so you can control the channel used for Miracast. You can manually select the Miracast channel in Settings. You will need to restart Surface Hub after each change. Generally speaking, you will want to use channels that do not show heavy utilization from the network scan.
@ -42,7 +42,7 @@ It is also a good idea to ensure the latest drivers and updates are installed on
Next, ensure Miracast is supported on the device.
1. Press Windows Key + R and type `dxdiag`.
2. Click “Save all information”.
2. Click "Save all information".
3. Open the saved dxdiag.txt and find **Miracast**. It should say **Available, with HDCP**.
### Check firewall
@ -63,7 +63,7 @@ On domain-joined devices, Group Policy can also block Miracast.
### Check event logs
The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hubs Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails.
The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub's Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails.
## Performance issues
@ -75,7 +75,10 @@ Channel switching is caused when the Wi-Fi adapter needs to send traffic to mult
If Surface Hub and the projecting device are both connected to Wi-Fi but using different access points with different channels, this will force Surface Hub and the projecting device to channel switch while Miracast is connected. This will result in both poor wireless project and poor network performance over Wi-Fi. The channel switching will affect the performance of all wireless traffic, not just wireless projection.
Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hubs Miracast channel to the same channel as the most commonly used access point.
Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub's Miracast channel to the same channel as the most commonly used access point.
If there are multiple Wi-Fi networks or access points in the environment, some channel switching is unavoidable. This is best addressed by ensuring all Wi-Fi drivers are up to date.
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).

4
devices/surface-hub/surface-hub-2s-recover-reset.md
View File

@ -69,3 +69,7 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri
> [!NOTE]
> To enter recovery mode, unplug the power cord and plug it in again three times.
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).

29
devices/surface-hub/troubleshoot-surface-hub.md
View File

@ -456,15 +456,15 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="even">
<td align="left"><p>0x80072EFD</p></td>
<td align="left"><p>WININET_E_CANNOT_CONNECT</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while and try again, or check the account settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while and try again, or check the account settings.</p></td>
<td align="left"><p>Verify that the server name is correct and reachable. Verify that the device is connected to the network.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>0x86000C29</p></td>
<td align="left"><p>E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies dont match)</p></td>
<td align="left"><p>E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don't match)</p></td>
<td align="left"><p>The account is configured with policies not compatible with Surface Hub.</p></td>
<td align="left"><p>Disable the <strong>PasswordEnabled</strong> policy for this account.</p>
<p>We have a bug were we may surface policy errors if the account doesnt receive any server notifications within the policy refresh interval.</p></td>
<p>We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.</p></td>
</tr>
<tr class="even">
<td align="left"><p>0x86000C4C</p></td>
@ -475,7 +475,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x86000C0A</p></td>
<td align="left"><p>E_NEXUS_STATUS_SERVERERROR_RETRYLATER</p></td>
<td align="left"><p>Cant connect to the server right now.</p></td>
<td align="left"><p>Can't connect to the server right now.</p></td>
<td align="left"><p>Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="even">
@ -487,7 +487,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x8505000D</p></td>
<td align="left"><p>E_AIRSYNC_RESET_RETRY</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
<td align="left"><p>This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.</p></td>
</tr>
<tr class="even">
@ -499,13 +499,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x85010004</p></td>
<td align="left"><p>E_HTTP_FORBIDDEN</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while and try again, or check the accounts settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while and try again, or check the account's settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.</p></td>
</tr>
<tr class="even">
<td align="left"><p>0x85030028</p></td>
<td align="left"><p>E_ACTIVESYNC_PASSWORD_OR_GETCERT</p></td>
<td align="left"><p>The accounts password or client certificate are missing or invalid.</p></td>
<td align="left"><p>The account's password or client certificate are missing or invalid.</p></td>
<td align="left"><p>Update the password and/or deploy the client certificate.</p></td>
</tr>
<tr class="odd">
@ -523,7 +523,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x80072EE2</p></td>
<td align="left"><p>WININET_E_TIMEOUT</p></td>
<td align="left"><p>The network doesnt support the minimum idle timeout required to receive server notification, or the server is offline.</p></td>
<td align="left"><p>The network doesn't support the minimum idle timeout required to receive server notification, or the server is offline.</p></td>
<td align="left"><p>Verify that the server is running. Verify the NAT settings.</p></td>
</tr>
<tr class="even">
@ -535,13 +535,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x85010017</p></td>
<td align="left"><p>E_HTTP_SERVICE_UNAVAIL</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>0x86000C0D</p></td>
<td align="left"><p>E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="odd">
@ -555,7 +555,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<td align="left"><p>E_NEXUS_STATUS_INVALID_POLICYKEY</p></td>
<td align="left"><p>The account is configured with policies not compatible with Surface Hub.</p></td>
<td align="left"><p>Disable the PasswordEnabled policy for this account.</p>
<p>We have a bug were we may surface policy errors if the account doesnt receive any server notifications within the policy refresh interval.</p></td>
<p>We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>0x85010005</p></td>
@ -566,7 +566,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="even">
<td align="left"><p>0x85010014</p></td>
<td align="left"><p>E_HTTP_SERVER_ERROR</p></td>
<td align="left"><p>Cant connect to the server.</p></td>
<td align="left"><p>Can't connect to the server.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.</p></td>
</tr>
<tr class="odd">
@ -602,7 +602,10 @@ This section lists status codes, mapping, user messages, and actions an admin ca
</tbody>
</table>
 
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
 
## Related content

170
mdop/appv-v5/about-app-v-51-reporting.md
View File

@ -16,36 +16,32 @@ ms.date: 08/30/2016
# About App-V 5.1 Reporting
Microsoft Application Virtualization (App-V) 5.1 includes a built-in reporting feature that helps you collect information about computers running the App-V 5.1 client as well as information about virtual application package usage. You can use this information to generate reports from a centralized database.
## <a href="" id="---------app-v-5-1-reporting-overview"></a> App-V 5.1 Reporting Overview
The following list displays the endto-end high-level workflow for reporting in App-V 5.1.
1. The App-V 5.1 Reporting server has the following prerequisites:
1. The App-V 5.1 Reporting server has the following prerequisites:
- Internet Information Service (IIS) web server role
- Internet Information Service (IIS) web server role
- Windows Authentication role (under **IIS / Security**)
- Windows Authentication role (under **IIS / Security**)
- SQL Server installed and running with SQL Server Reporting Services (SSRS)
- SQL Server installed and running with SQL Server Reporting Services (SSRS)
To confirm SQL Server Reporting Services is running, view `http://localhost/Reports` in a web browser as administrator on the server that will host App-V 5.1 Reporting. The SQL Server Reporting Services Home page should display.
2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server.
2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server.
3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at <https://go.microsoft.com/fwlink/?LinkId=397255>.
3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined SSRS Reports from the [Download Center](https://go.microsoft.com/fwlink/?LinkId=397255).
**Note**  
If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
> [!NOTE]
> If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
``` syntax
```powershell
Set-AppvClientConfiguration reportingserverurl <url>:<port> -reportingenabled 1 ReportingStartTime <0-23> - ReportingRandomDelay <#min>
```
@ -53,18 +49,14 @@ The following list displays the endto-end high-level workflow for reporting i
For more information about installing the App-V 5.1 client with reporting enabled see [About Client Configuration Settings](about-client-configuration-settings51.md). To administer App-V 5.1 Reporting with Windows PowerShell, see [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md).
5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client.
5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client.
6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space.
6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space.
**Note**  
By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
> [!NOTE]
> By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
~~~
If the App-V 5.1 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
~~~
### <a href="" id="-------------app-v-5-1-reporting-server-frequently-asked-questions"></a> App-V 5.1 reporting server frequently asked questions
@ -121,52 +113,50 @@ The following table displays answers to common questions about App-V 5.1 reporti
<strong>Note</strong><br/><p>Group Policy settings override local settings configured using PowerShell.</p>
</div>
<div>
</div></li>
</ol></td>
</tr>
</tbody>
</table>
## <a href="" id="---------app-v-5-1-client-reporting"></a> App-V 5.1 Client Reporting
To use App-V 5.1 reporting you must install and configure the App-V 5.1 client. After the client has been installed, use the **Set-AppVClientConfiguration** PowerShell cmdlet or the **ADMX Template** to configure reporting. The reporting feature cmdlets are available by using the following link and are prefaced by **Reporting**. For a complete list of client configuration settings see [About Client Configuration Settings](about-client-configuration-settings51.md). The following section provides examples of App-V 5.1 client reporting configuration using PowerShell.
### Configuring App-V Client reporting using PowerShell
The following examples show how PowerShell parameters can configure the reporting features of the App-V 5.1 client.
**Note**
The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
> [!NOTE]
> The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
**To enable reporting and to initiate data collection on the computer running the App-V 5.1 client**:
`Set-AppVClientConfiguration ReportingEnabled 1`
```powershell
Set-AppVClientConfiguration ReportingEnabled 1
```
**To configure the client to automatically send data to a specific reporting server**:
``` syntax
Set-AppVClientConfiguration ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30
```powershell
Set-AppVClientConfiguration ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 -ReportingInterval 1 -ReportingRandomDelay 30
```
`-ReportingInterval 1 -ReportingRandomDelay 30`
This example configures the client to automatically send the reporting data to the reporting server URL <strong>http://MyReportingServer:MyPort/</strong>. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
**To limit the size of the data cache on the client**:
`Set-AppvClientConfiguration ReportingDataCacheLimit 100`
```powershell
Set-AppvClientConfiguration ReportingDataCacheLimit 100
```
Configures the maximum size of the reporting cache on the computer running the App-V 5.1 client to 100 MB. If the cache limit is reached before the data is sent to the server, then the log rolls over and data will be overwritten as necessary.
**To configure the data block size transmitted across the network between the client and the server**:
`Set-AppvClientConfiguration ReportingDataBlockSize 10240`
```powershell
Set-AppvClientConfiguration ReportingDataBlockSize 10240
```
Specifies the maximum data block that the client sends to 10240 MB.
@ -174,59 +164,15 @@ Specifies the maximum data block that the client sends to 10240 MB.
The following table displays the types of information you can collect by using App-V 5.1 reporting.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Client Information</th>
<th align="left">Package Information</th>
<th align="left">Application Usage</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Host Name</p></td>
<td align="left"><p>Package Name</p></td>
<td align="left"><p>Start and End Times</p></td>
</tr>
<tr class="even">
<td align="left"><p>App-V 5.1 Client Version</p></td>
<td align="left"><p>Package Version</p></td>
<td align="left"><p>Run Status</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Processor Architecture</p></td>
<td align="left"><p>Package Source</p></td>
<td align="left"><p>Shutdown State</p></td>
</tr>
<tr class="even">
<td align="left"><p>Operating System Version</p></td>
<td align="left"><p>Percent Cached</p></td>
<td align="left"><p>Application Name</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Service Pack Level</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Application Version</p></td>
</tr>
<tr class="even">
<td align="left"><p>Operating System Type</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Username</p></td>
</tr>
<tr class="odd">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Connection Group</p></td>
</tr>
</tbody>
</table>
|Client Information |Package Information |Application Usage |
|---------|---------|---------|
|Host Name |Package Name|Start and End Times|
|App-V 5.1 Client Version |Package Version|Run Status|
|Processor Architecture |Package Source|Shutdown State|
|Operating System Version|Percent Cached|Application Name|
|Service Pack Level| |Application Version|
|Operating System Type| |Username|
| | |Connection Group|
The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file.
@ -234,19 +180,17 @@ The client collects and saves this data in an **.xml** format. The data cache is
You can configure the computer that is running the App-V 5.1 client to automatically send data to the specified reporting server. To specify the server use the **Set-AppvClientConfiguration** cmdlet with the following settings:
- ReportingEnabled
- ReportingServerURL
- ReportingStartTime
- ReportingInterval
- ReportingRandomDelay
- ReportingEnabled
- ReportingServerURL
- ReportingStartTime
- ReportingInterval
- ReportingRandomDelay
After you configure the previous settings, you must create a scheduled task. The scheduled task will contact the server specified by the **ReportingServerURL** setting and will initiate the transfer. If you want to manually send data outside of the scheduled times, use the following PowerShell cmdlet:
`Send-AppVClientReport URL http://MyReportingServer:MyPort/ -DeleteOnSuccess`
```powershell
Send-AppVClientReport URL http://MyReportingServer:MyPort/ -DeleteOnSuccess
```
If the reporting server has been previously configured, then the **URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection.
@ -277,23 +221,20 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data.
<strong>Note</strong><br/><p>If a location other than the Reporting Server is specified, the data is sent using <strong>.xml</strong> format with no additional processing.</p>
</div>
<div>
</div></td>
</tr>
</tbody>
</table>
### Creating Reports
To retrieve report information and create reports using App-V 5.1 you must use one of the following methods:
- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports.
- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports.
Use the following link for more information about using [Microsoft SQL Server Reporting Services](https://go.microsoft.com/fwlink/?LinkId=285596).
- **Scripting** You can generate reports by scripting directly against the App-V 5.1 reporting database. For example:
- **Scripting** You can generate reports by scripting directly against the App-V 5.1 reporting database. For example:
**Stored Procedure:**
@ -303,25 +244,10 @@ To retrieve report information and create reports using App-V 5.1 you must use o
The stored procedure is also created when using the App-V 5.1 database scripts.
You should also ensure that the reporting server web services **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
You should also ensure that the reporting server web service's **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
## Related topics
[Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
[How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md)

87
mdop/appv-v5/app-v-51-planning-checklist.md
View File

@ -16,86 +16,21 @@ ms.date: 06/16/2016
# App-V 5.1 Planning Checklist
This checklist can be used to help you plan for preparing your computing environment for Microsoft Application Virtualization (App-V) 5.1 deployment.
**Note**  
This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left"></th>
<th align="left">Task</th>
<th align="left">References</th>
<th align="left">Notes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.</p></td>
<td align="left"><p><a href="getting-started-with-app-v-51.md" data-raw-source="[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)">Getting Started with App-V 5.1</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.</p></td>
<td align="left"><p><a href="app-v-51-prerequisites.md" data-raw-source="[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)">App-V 5.1 Prerequisites</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>If you plan to use the App-V 5.1 management server, plan for the required roles.</p></td>
<td align="left"><p><a href="planning-for-the-app-v-51-server-deployment.md" data-raw-source="[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)">Planning for the App-V 5.1 Server Deployment</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.</p></td>
<td align="left"><p><a href="planning-for-the-app-v-51-sequencer-and-client-deployment.md" data-raw-source="[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)">Planning for the App-V 5.1 Sequencer and Client Deployment</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>If applicable, review the options and steps for migrating from a previous version of App-V.</p></td>
<td align="left"><p><a href="planning-for-migrating-from-a-previous-version-of-app-v51.md" data-raw-source="[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)">Planning for Migrating from a Previous Version of App-V</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Plan for running App-V 5.1 clients using in shared content store mode.</p></td>
<td align="left"><p><a href="how-to-install-the-app-v-51-client-for-shared-content-store-mode.md" data-raw-source="[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)">How to Install the App-V 5.1 Client for Shared Content Store Mode</a></p></td>
<td align="left"><p></p></td>
</tr>
</tbody>
</table>
> [!NOTE]
> This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
| |Task |References |
|-|-|-|
|![Checklist box](images/checklistbox.gif) |Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.|[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)|
|![Checklist box](images/checklistbox.gif) |Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.|[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)|
|![Checklist box](images/checklistbox.gif) |If you plan to use the App-V 5.1 management server, plan for the required roles.|[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)|
|![Checklist box](images/checklistbox.gif) |Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.|[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)|
|![Checklist box](images/checklistbox.gif) |If applicable, review the options and steps for migrating from a previous version of App-V.|[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)|
|![Checklist box](images/checklistbox.gif) |Plan for running App-V 5.1 clients using in shared content store mode.|[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)|
|![Checklist box](images/checklistbox.gif) | | |
## Related topics
[Planning for App-V 5.1](planning-for-app-v-51.md)

47
mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
View File

@ -16,63 +16,46 @@ ms.date: 06/16/2016
# How to install the Reporting Server on a Standalone Computer and Connect it to the Database
Use the following procedure to install the reporting server on a standalone computer and connect it to the database.
**Important**
**Important**
Before performing the following procedure you should read and understand [About App-V 5.1 Reporting](about-app-v-51-reporting.md).
## To install the reporting server on a standalone computer and connect it to the database
1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
**To install the reporting server on a standalone computer and connect it to the database**
2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I dont want to use Microsoft Update**. Click **Next**.
5. On the **Installation Location** page, accept the default location and click **Next**.
4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
5. On the **Installation Location** page, accept the default location and click **Next**.
> [!NOTE]
> If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
**Note**
If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
~~~
For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
~~~
Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
7. On the **Configure Reporting Server Configuration** page.
- Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
- Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
- For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
- For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
8. Click **Install**.
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
[About App-V 5.1 Reporting](about-app-v-51-reporting.md)
[Deploying App-V 5.1](deploying-app-v-51.md)
[How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md)

40
windows/client-management/mdm/policy-csp-update.md
View File

@ -1204,19 +1204,19 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
</table>
@ -1234,7 +1234,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1275,19 +1275,19 @@ Default value is 7.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
</table>
@ -1305,7 +1305,7 @@ Default value is 7.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1346,19 +1346,19 @@ Default value is 7.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
</table>
@ -1376,7 +1376,7 @@ Default value is 7.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
<!--/Description-->
<!--ADMXMapped-->
@ -1418,19 +1418,19 @@ Default value is 2.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
</table>
@ -1448,7 +1448,7 @@ Default value is 2.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
<!--/Description-->

2
windows/deployment/update/update-compliance-monitor.md
View File

@ -20,7 +20,7 @@ ms.topic: article
> [!IMPORTANT]
> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
>
> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates.
> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.

2
windows/deployment/update/update-compliance-wd-av-status.md
View File

@ -18,7 +18,7 @@ ms.topic: article
> [!IMPORTANT]
> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates.
> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png)

2
windows/deployment/windows-10-subscription-activation.md
View File

@ -89,7 +89,7 @@ For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 E
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
#### Muti-factor authentication
#### Multi-factor authentication
An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.

3
windows/deployment/windows-autopilot/known-issues.md
View File

@ -26,6 +26,9 @@ ms.topic: article
<table>
<th>Issue<th>More information
<tr><td>Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile.</td>
<td>This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.</tr>
<tr><td>Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more).</td>
<td>To fix this issue: <ol><li>Boot the device to the start of the out-of-box experience (OOBE).
<li>Establish a network connection (wired or wireless).

2
windows/security/threat-protection/TOC.md
View File

@ -31,7 +31,7 @@
### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
### [Configuration score](microsoft-defender-atp/configuration-score.md)
### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)

12
windows/security/threat-protection/index.md
View File

@ -31,7 +31,7 @@ ms.topic: conceptual
</tr>
<tr>
<td colspan="7">
<a href="#apis"><center><b>Centratlized configuration and administration, APIs</a></b></center></td>
<a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>
</tr>
<tr>
<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
@ -42,9 +42,9 @@ ms.topic: conceptual
<a name="tvm"></a>
**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
@ -97,7 +97,7 @@ Endpoint detection and response capabilities are put in place to detect, investi
<a name="ai"></a>
**[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**<br>
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
@ -116,7 +116,7 @@ Microsoft Defender ATP includes a configuration score to help you dynamically as
<a name="mte"></a>
**[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**<br>
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
- [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
- [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
@ -139,7 +139,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
- Office 365 ATP
- Azure ATP
- Azure Security Center
- Skype for Business
- Skype for Business
- Microsoft Cloud App Security
<a name="mtp"></a>

2
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -26,6 +26,8 @@ Conducting a comprehensive security product evaluation can be a complex process
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM]
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs.
After the lab setup process is complete, you can add Windows 10 or Windows Server 2019 machines. These test machines come pre-configured to have the latest and greatest OS versions with the right security components in place and Office 2019 Standard installed.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

3
windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
View File

@ -30,6 +30,9 @@ When you investigate an incident, you'll see:
- Incident comments and actions
- Tabs (alerts, machines, investigations, evidence, graph)
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).

123
windows/security/threat-protection/microsoft-defender-atp/licensing.md
View File

@ -1,123 +0,0 @@
---
title: Validate licensing provisioning and complete Microsoft Defender ATP set up
description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Microsoft Defender Advanced Threat Protection portal.
keywords: license, licensing, account, set up, validating licensing, windows defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Validate licensing provisioning and complete set up for Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
## Check license state
Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)
1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
- On the screen you will see all the provisioned licenses and their current **Status**.
![Image of billing licenses](images/atp-billing-subscriptions.png)
## Cloud Service Provider validation
To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
1. From the **Partner portal**, click on the **Administer services > Office 365**.
2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png)
## Access Microsoft Defender Security Center for the first time
When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created.
1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png)
Once the authorization step is completed, the **Welcome** screen will be displayed.
2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
![Image of Welcome screen for portal set up](images/welcome1.png)
You will need to set up your preferences for Microsoft Defender Security Center.
3. Set up preferences
![Image of geographic location in set up](images/setup-preferences.png)
1. **Select data storage location** <br> When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
> [!WARNING]
> This option cannot be changed without completely offboarding from Microsoft Defender ATP and completing a new enrollment process.
2. **Select the data retention policy** <br> Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
> [!NOTE]
> This option can be changed at a later time.
3. **Select the size of your organization** <br> You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
> [!NOTE]
> The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
4. **Turn on preview features** <br> Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
- Toggle the setting between On and Off to choose **Preview features**.
> [!NOTE]
> This option can be changed at a later time.
4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
> [!NOTE]
> Some of these options can be changed at a later time in Microsoft Defender Security Center.
![Image of final preference set up](images/setup-preferences2.png)
5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
- [Onboard Windows 10 machines](configure-endpoints.md)
- Run detection test (optional)
![Image of Onboard machines and run detection test](images/atp-onboard-endpoints-run-detection-test.png)
> [!IMPORTANT]
> If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification:
> ![Image of setup imcomplete](images/atp-setup-incomplete.png)
7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
## Related topics
- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md)

2
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -27,6 +27,8 @@ Live response is a capability that gives you instantaneous access to a machine u
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW]
With live response, analysts will have the ability to:
- Run basic and advanced commands to do investigative work
- Download files such as malware samples and outcomes of PowerShell scripts

7
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -26,6 +26,13 @@ ms.topic: conceptual
>
> If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
## 100.86.92
- Improvements around compatibility with Time Machine
- Addressed an issue where the product was sometimes not cleaning all files under `/Library/Application Support/Microsoft/Defender` during uninstallation
- Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate
- Other performance improvements & bug fixes
## 100.86.91
> [!CAUTION]

3
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
View File

@ -34,6 +34,9 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th
Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
The integration provides the following major improvements to the existing Cloud App Security discovery:
- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
View File

@ -59,7 +59,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
</tr>
<tr>
<td colspan="7">
<a href="#apis"><center><b>Centratlized configuration and administration, APIs</a></b></center></td>
<a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>
</tr>
<tr>
<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>

7
windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
View File

@ -28,11 +28,14 @@ Offboard machine from Microsoft Defender ATP.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
- Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
>[!Note]
> This does not support offboarding macOS Devices.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -83,4 +86,4 @@ Content-type: application/json
{
"Comment": "Offboard machine by automation"
}
```
```

3
windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
View File

@ -29,6 +29,9 @@ ms.topic: article
Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
## In this section
Topic | Description

106
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -1,6 +1,6 @@
---
title: Security recommendation
description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
title: Security recommendations
description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value.
keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -8,17 +8,18 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
# Security recommendation
# Security recommendations
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!TIP]
@ -26,80 +27,77 @@ ms.date: 04/11/2019
[!include[Prerelease information](../../includes/prerelease.md)]
The cyber security weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendation helps shorten the time to mitigate or remediate vulnerabilities and drive compliance.
Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
## The basis of the security recommendation
Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
## Criteria
- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
- Breach likelihood - Your organization's security posture and resilience against threats
- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
- Business value - Your organization's assets, critical processes, and intellectual properties
- **Breach likelihood** - Your organization's security posture and resilience against threats
- **Business value** - Your organization's assets, critical processes, and intellectual properties
## Navigate through your security recommendations
## Navigate to security recommendations
You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it.
You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page.
*Security recommendations option from the left navigation menu*
### Top security recommendations in the Threat & Vulnerability Management dashboard
1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities.
![Screenshot of Security recommendations page](images/tvmsecrec-updated.png)
In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
>[!NOTE]
> The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than whats on the left, which means an increase or decrease at the end of even a single machine will change the graph's color.
![Screenshot of security recommendations page](images/top-security-recommendations350.png)
You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**.
<br></br>![Screenshot of the remediation type filters for software update and uninstall](images/remediationtype-swupdatefilter.png)
The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation.
2. Select the security recommendation that you need to investigate or process.
<br></br>![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png)
### Navigation menu
*Top security recommendations from the dashboard*
Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
## Security recommendations overview
The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
You will be able to view the recommendation, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, vulnerabilities, other threats found, how many exposed devices are associated with the security recommendation, and business impact of each security recommendation on the organizational exposure and configuration score.
The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color.
From that page, you can do any of the following depending on what you need to do:
![Screenshot of security recommendations page](images/tvmsecrec-updated.png)
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time.
Select the security recommendation that you want to investigate or process.
- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png)
- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
From the flyout, you can do any of the following:
- **Open software page** - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time.
- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
>[!NOTE]
>When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
## Report inaccuracy
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information in the machine page.
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
1. Select the **Security recommendation** tab.
1. Open the Security recommendation.
2. Click **:** beside the security recommendation that you want to report about, then select **Report inaccuracy**.
![Screenshot of Report inaccuracy control from the machine page under the Security recommendation column](images/tvm-report-inaccuracy.png)
<br>A flyout pane opens.</br>
![Screenshot of Report inaccuracy flyout pane](images/tvm-report-inaccuracyflyout.png)
2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**.
3. From the flyout pane, select the inaccuracy category from the drop-down menu.
<br>![Screenshot of Report inaccuracy categories drop-down menu](images/tvm-report-inaccuracyoptions.png)</br>
![Screenshot of Report inaccuracy control](images/report-inaccuracy500.png)
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
5. Include your machine name for investigation context.
>[!TIP]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png)
4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
@ -109,9 +107,9 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

56
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -8,33 +8,37 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
# Software inventory
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
## Navigate through your software inventory
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached their end-of-life.
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
![Screenshot of software inventory page](images/software_inventory_filter.png)
2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**.
3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. From the **Version distribution** tab, you can also filter the view by **Version EOL** if you want to see the software versions that has reached their end-of-life which needs to be uninstalled, replaced, or updated.
2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**.
3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
## How it works
In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
@ -42,29 +46,22 @@ Since it is real-time, in a matter of minutes, you will see vulnerability inform
You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page.
1. Select the **Software inventory** tab.
1. Select one of the software rows. A flyout will appear.
2. Click **:** beside the software that you want to report about, and then select **Report inaccuracy**.
![Screenshot of Report inaccuracy control from the machine page under the Software inventory column](images/tvm_report_inaccuracy_software.png)
<br>A flyout pane opens.</br>
![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_softwareflyout.png)
2. Select "Report inaccuracy" in the flyout
3. From the flyout pane, select the inaccuracy category from the **Software inventory inaccuracy reason** drop-down menu.
<br>![Screenshot of Report inaccuracy software inventory inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_softwareoptions.png)</br>
![Screenshot of Report inaccuracy control](images/software-inventory-report-inaccuracy500.png)
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
5. Include your machine name for investigation context.
>[!NOTE]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png)
4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
@ -72,10 +69,9 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Remediation and exception](tvm-remediation.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

19
windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md
View File

@ -24,10 +24,12 @@ ms.collection:
## What is shadow protection?
Shadow protection (currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection)) extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. If your organization has decided to use an antivirus solution other than Windows Defender Antivirus, you are still protected through shadow protection.
When enabled, shadow protection extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors observed through post-breach protection. This is the case even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. Shadow protection is useful if your organization has not fully transitioned to Windows Defender Antivirus and if you are presently using a third-party antivirus solution. Shadow protection works behind the scenes by remediating malicious entities identified in post-breach protection that the existing third-party antivirus solution missed.
> [!TIP]
> To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus).
> [!NOTE]
> Shadow protection is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection).
To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus).
## What happens when something is detected?
@ -39,6 +41,9 @@ The following images shows an instance of unwanted software that was detected an
## Turn on shadow protection
> [!IMPORTANT]
> Make sure the [requirements](#requirements-for-shadow-protection) are met before turning shadow protection on.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. Choose **Settings** > **Advanced features**.
@ -48,18 +53,18 @@ The following images shows an instance of unwanted software that was detected an
3. Turn shadow protection on.
> [!NOTE]
> Currently, shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off at this time.
> Shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off.
## Requirements for shadow protection
|Requirement |Details |
|---------|---------|
|Permissions |One of the following roles should be assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal): <br/>- Security Administrator or Global Administrator <br/>- Security Reader <br/>See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
|Operating system |One of the following: <br/>- Windows 10 (all releases) <br/>- Windows Server 2016 or later |
|Windows E5 enrollment |This is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled. <br/>See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). |
|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the `Get-MpComputerStatus` cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the `Get-MpComputerStatus` cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
> To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See [Protect security settings with tamper protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection)

11
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -21,23 +21,24 @@
### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
#### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md)
### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md)
## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
### [Understanding Application Control events](event-id-explanations.md)
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
## [AppLocker](applocker\applocker-overview.md)
### [Administer AppLocker](applocker\administer-applocker.md)

80
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Understanding Application Control events (Windows 10)
description: Learn what different Windows Defender Application Control events signify.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 3/17/2020
---
# Understanding Application Control events
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
1. Event IDs beginning with 30 appear in Applications and Services logs Microsoft Windows CodeIntegrity Operational
2. Event IDs beginning with 80 appear in Applications and Services logs Microsoft Windows AppLocker MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
| Event ID | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.<br>Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. |
| 3099 | Indicates that a policy has been loaded |
## Microsoft Windows Applocker MSI and Script log event IDs
| Event ID | Explanation |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
| 8029 | Block script/MSI file |
| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | |
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3090 | Allow executable/dll file |
| 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file |
3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
### SmartLocker template
Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
| Name | Explanation |
|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
| ManagedInstallerEnabled | Policy trusts a MI |
| PassesManagedInstaller | File originated from a trusted MI |
| SmartlockerEnabled | Policy trusts the ISG |
| PassesSmartlocker | File had positive reputation |
| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
### Enabling ISG and MI diagnostic events
In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
```
In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```

91
windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
View File

@ -1,91 +0,0 @@
---
title: Signing Windows Defender Application Control policies with SignTool.exe (Windows 10)
description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/21/2018
---
# Signing Windows Defender Application Control policies with SignTool.exe
**Applies to:**
- Windows 10
- Windows Server 2016
Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer.
These policies are designed to prevent administrative tampering and kernel mode exploit access.
With this in mind, it is much more difficult to remove signed WDAC policies.
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
To sign a WDAC policy with SignTool.exe, you need the following components:
- SignTool.exe, found in the Windows SDK (Windows 7 or later)
- The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section or another WDAC policy that you have created
- An internal CA code signing certificate or a purchased code signing certificate
If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
1. Initialize the variables that will be used:
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
`$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
> [!NOTE]
> This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing users personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
4. Navigate to your desktop as the working directory:
`cd $env:USERPROFILE\Desktop`
5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
`Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
> [!NOTE]
> \<Path to exported .cer certificate> should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future.
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
`Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
`ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
8. Sign the WDAC policy by using SignTool.exe:
`<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).

6
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -28,10 +28,8 @@ ms.date: 05/03/2018
- Windows Server 2016
Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer.
These policies are designed to prevent administrative tampering and kernel mode exploit access.
With this in mind, it is much more difficult to remove signed WDAC policies.
Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.

42
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md Normal file
View File

@ -0,0 +1,42 @@
---
title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10)
description: Gather information about how your deployed Windows Defender Application Control policies are behaving.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 03/16/2020
---
# Windows Defender Application Control operational guide
**Applies to**
- Windows 10
- Windows Server 2016
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
## WDAC Events Overview
WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
WDAC events are generated under two locations:
1. Applications and Services logs Microsoft Windows CodeIntegrity Operational
2. Applications and Services logs Microsoft Windows AppLocker MSI and Script
## In this section
| Topic | Description |
| - | - |
| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. |
| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. |