diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 0cf060785e..2085738ae8 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -2044,6 +2044,11 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis",
"redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list",
+ "redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md",
@@ -15110,6 +15115,11 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis",
@@ -16514,6 +16524,16 @@
"source_path": "windows/hub/windows-10.yml",
"redirect_url": "https://docs.microsoft.com/windows/windows-10",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",
+ "redirect_document_id": false
}
]
}
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 33b58da4ab..8a5ead4fe6 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -18,10 +18,10 @@ ms.date: 10/17/2017
# Distribute offline apps
-**Applies to**
+**Applies to:**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows 10 Mobile
Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
@@ -29,23 +29,23 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store
Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps:
-- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
+- **You don't have access to Microsoft Store services** - If your employees don't have access to the Internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
-- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
+- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
-- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
+- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
## Distribution options for offline-licensed apps
You can't distribute offline-licensed apps directly from Microsoft Store. Once you download the items for the offline-licensed app, you have options for distributing the apps:
-- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
+- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
-- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages).
+- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages).
-- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
+- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
- [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
+ - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
@@ -53,23 +53,22 @@ For third-party MDM providers or management servers, check your product document
There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app.
-- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata.
+- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata.
-- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
+- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
-- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
+- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
-- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
+- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
-
-**To download an offline-licensed app**
+**To download an offline-licensed app**
-1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**.
-3. Click **Settings**.
-4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory.
-5. Click **Manage**. You now have access to download the appx bundle package metadata and license file.
-6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
+2. Click **Manage**.
+3. Click **Settings**.
+4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory.
+5. Click **Manage**. You now have access to download the appx bundle package metadata and license file.
+6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
- **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional.
- **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required.
@@ -78,16 +77,3 @@ There are several items to download or create for offline-licensed apps. The app
> [!NOTE]
> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
index 42f33e8015..82518ed170 100644
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -2,6 +2,14 @@
+## Week of January 25, 2021
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified |
+
+
## Week of January 11, 2021
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 9bad3fe712..12547591ba 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -14,41 +14,38 @@ ms.date: 06/26/2017
# FileSystem CSP
-
The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user.
-> **Note** FileSystem CSP is only supported in Windows 10 Mobile.
->
->
->
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
+> [!NOTE]
+> FileSystem CSP is only supported in Windows 10 Mobile.
-
+> [!NOTE]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-**FileSystem**
+**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path.
The following properties are supported for the root node:
-- `Name`: The root node name. The Get command is the only supported command.
+- `Name`: The root node name. The Get command is the only supported command.
-- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command.
+- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command.
-- `Format`: The format, which is `node`. The Get command is the only supported command.
+- `Format`: The format, which is `node`. The Get command is the only supported command.
-- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
+- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
-- `Size`: Not supported.
+- `Size`: Not supported.
-- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
+- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
-***file directory***
+***file directory***
Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements.
The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code.
@@ -61,19 +58,19 @@ The Delete command is used to delete all files and subfolders under this *file d
The following properties are supported for file directories:
-- `Name`: The file directory name. The Get command is the only supported command.
+- `Name`: The file directory name. The Get command is the only supported command.
-- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command.
+- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command.
-- `Format`: The format, which is `node`. The Get command is the only supported command.
+- `Format`: The format, which is `node`. The Get command is the only supported command.
-- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
+- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
-- `Size`: Not supported.
+- `Size`: Not supported.
-- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
+- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command.
-***file name***
+***file name***
Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead.
The Delete command deletes the file.
@@ -86,29 +83,18 @@ The Get command is not supported on a *file name* element, only on the propertie
The following properties are supported for files:
-- `Name`: The file name. The Get command is the only supported command.
+- `Name`: The file name. The Get command is the only supported command.
-- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command.
+- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command.
-- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command.
+- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command.
-- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
+- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
-- `Size`: The unencoded file content size in bytes. The Get command is the only supported command.
+- `Size`: The unencoded file content size in bytes. The Get command is the only supported command.
-- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
+- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index f68a71f820..b106637736 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -677,7 +677,7 @@ The following list shows the supported values:
-Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
+Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
* On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
* On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 3cd4ad2b71..ebadfd9803 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -1,5 +1,5 @@
---
-title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10)
+title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10)
description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
ms.reviewer:
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index de5f866595..bbafcf8b44 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -62,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b
- DOMaxUploadBandwidth
- Support for new types of downloads:
- - Office installations and updates
+ - Office installs and updates
- Xbox game pass games
- MSIX apps (HTTP downloads only)
- - Edge browser installations and updates
+ - Edge browser installs and updates
+ - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847)
## Requirements
@@ -90,7 +91,9 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Win32 apps for Intune | 1709 |
| Xbox game pass games | 2004 |
| MSIX apps (HTTP downloads only) | 2004 |
-| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |
+| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 |
+| Edge browser installs and updates | 1809 |
+| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 |
> [!NOTE]
> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 76e17626d7..01f89be64e 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin
Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows).
+For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows).
### Device compatibility
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 7389bcd273..0fcb1ad99c 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -57,7 +57,7 @@ get-help get-VamtProduct -all
```
**Warning**
-The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=242278).
+The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/vamt).
**To view VAMT PowerShell Help sections**
diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md
index 7f7f58c2b8..16e55efb95 100644
--- a/windows/security/identity-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@@ -18,7 +18,7 @@
#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
-## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
+## [Windows Hello for Business](hello-for-business/index.yml)
## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 215c86beea..e6e5fa20c1 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,5 +1,5 @@
---
-title: Multifactor Unlock
+title: Multi-factor Unlock
description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
@@ -16,7 +16,7 @@ localizationpriority: medium
ms.date: 03/20/2018
ms.reviewer:
---
-# Multifactor Unlock
+# Multi-factor Unlock
**Applies to:**
- Windows 10
@@ -83,15 +83,17 @@ For example, if you include the PIN and fingerprint credential providers in both
The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
### Rule element
-You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
+You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
+
**Example**
-```
+```xml
```
### Signal element
-Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+
|Attribute|Value|
|---------|-----|
@@ -109,8 +111,8 @@ You define the bluetooth signal with additional attributes in the signal element
|rssiMin|"*number*"|no|
|rssiMaxDelta|"*number*"|no|
-Example:
-```
+**Example**
+```xml
@@ -142,63 +144,76 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw
You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements.
##### IPv4Prefix
-The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
+
**Example**
-```
+```xml
192.168.100.0/24
```
+
The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration.
##### IPv4Gateway
-The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
+
**Example**
-```
+```xml
192.168.100.10
```
+
##### IPv4DhcpServer
-The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
+
**Example**
-```
+```xml
192.168.100.10
```
+
##### IPv4DnsServer
-The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
+The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
+
**Example:**
-```
+```xml
192.168.100.10
```
##### IPv6Prefix
-The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
+
**Example**
-```
+```xml
21DA:D3::/48
```
##### IPv6Gateway
-The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
+
**Example**
-```
+```xml
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
```
##### IPv6DhcpServer
-The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
+
**Example**
-```
+```xml
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements.
+
**Example**
-```
+```xml
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
```
+
##### dnsSuffix
-The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+
**Example**
-```
+```xml
corp.contoso.com
```
@@ -210,15 +225,17 @@ The fully qualified domain name of your organization's internal DNS suffix where
You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements.
#### SSID
-Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
-```
+Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
+
+```xml
corpnetwifi
```
#### BSSID
-Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+
**Example**
-```
+```xml
12-ab-34-ff-e5-46
```
@@ -235,19 +252,22 @@ Contains the type of security the client uses when connecting to the wireless ne
|WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.|
**Example**
-```
+```xml
WPA2-Enterprise
```
#### TrustedRootCA
-Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+
**Example**
-```
+```xml
a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa
```
+
#### Sig_quality
-Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+
**Example**
-```
+```xml
80
```
@@ -257,7 +277,8 @@ These examples are wrapped for readability. Once properly formatted, the entire
#### Example 1
This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements.
-```
+
+```xml
10.10.10.0/24
@@ -271,10 +292,11 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
#### Example 2
This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. This configuration is wrapped for reading. Once properly formatted, the entire XML contents must be a single line. This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
+
>[!NOTE]
>Separate each rule element using a comma.
-```
+```xml
corp.contoso.com
@@ -284,9 +306,11 @@ This example configures an IpConfig signal type using a dnsSuffix element and a
```
+
#### Example 3
This example configures the same as example 2 using compounding And elements. This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
-```
+
+```xml
@@ -296,9 +320,11 @@ This example configures the same as example 2 using compounding And elements. T
```
+
#### Example 4
This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
-```
+
+```xml
contoso
@@ -332,22 +358,34 @@ The Group Policy object contains the policy settings needed to trigger Windows H
> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both.
> * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) for more information.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Right-click **Group Policy object** and select **New**.
-4. Type *Multifactor Unlock* in the name box and click **OK**.
-5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **Computer Configuration**.
-7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
- 
-8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
- 
-9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section.
-10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section.
-11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
+1. Start the **Group Policy Management Console** (gpmc.msc).
- ## Troubleshooting
- Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
+3. Right-click **Group Policy object** and select **New**.
+
+4. Type *Multifactor Unlock* in the name box and click **OK**.
+
+5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
+
+6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+
+7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
+
+ 
+
+8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
+
+ 
+
+9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
+
+10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider).
+
+11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
+
+## Troubleshooting
+Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
### Events
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index f3f064b1d1..95b07dfe0d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,5 +1,5 @@
---
-title: Windows Hello for Business Deployment Guide
+title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
@@ -13,28 +13,35 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/29/2018
+ms.date: 01/21/2021
ms.reviewer:
---
-# Windows Hello for Business Deployment Guide
+# Windows Hello for Business Deployment Overview
**Applies to**
-- Windows 10, version 1703 or later
+
+- Windows 10, version 1703 or later
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
-This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
+This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
+
+Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment.
+
+> [!NOTE]
+> Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
## Assumptions
-This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
-* A well-connected, working network
-* Internet access
-* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
-* Proper name resolution, both internal and external names
-* Active Directory and an adequate number of domain controllers per site to support authentication
-* Active Directory Certificate Services 2012 or later
-* One or more workstation computers running Windows 10, version 1703
+This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
+
+- A well-connected, working network
+- Internet access
+- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning
+- Proper name resolution, both internal and external names
+- Active Directory and an adequate number of domain controllers per site to support authentication
+- Active Directory Certificate Services 2012 or later
+- One or more workstation computers running Windows 10, version 1703
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
@@ -46,15 +53,17 @@ Windows Hello for Business has three deployment models: Cloud, hybrid, and on-pr
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
-The trust model determines how you want users to authenticate to the on-premises Active Directory:
-* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
-* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
-* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
+The trust model determines how you want users to authenticate to the on-premises Active Directory:
+
+- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
+- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
+- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
> [!NOTE]
> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
Following are the various deployment guides and models included in this topic:
+
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 4dece74866..2c22e05685 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -45,6 +45,48 @@ After the initial logon attempt, the user's Windows Hello for Business public ke
To resolve this behavior, upgrade Windows Server 2016 and 2019 domain controllers to with the latest patches. For Windows Server 2016, this behavior is fixed in build 14393.4104 ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, this behavior is fixed in build 17763.1637 ([KB4592440](https://support.microsoft.com/help/4592440)).
+## Azure AD Joined Device Access to On-Premises Resources Using Key Trust and Third-Party Certificate Authority (CA)
+
+Applies to:
+
+- Azure AD joined key trust deployments
+- Third-party certificate authority (CA) issuing domain controller certificates
+
+Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates.
+
+For more information, read [Guidelines for enabling smart card logon with third-party certification authorities](
+https://support.microsoft.com/topic/a34a400a-51d5-f2a1-c8c0-7a6c9c49cb78).
+
+### Identifying On-premises Resource Access Issues with Third-Party CAs
+
+This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information:
+
+ Log Name: Microsoft-Windows-Kerberos/Operational
+ Source: Microsoft-Windows-Security-Kerberos
+ Event ID: 107
+ GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1}
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Description:
+
+ The Kerberos client received a KDC certificate that does not have a matched domain name.
+
+ Expected Domain Name: ad.contoso.com
+ Error Code: 0xC000006D
+
+### Resolving On-premises Resource Access Issue with Third-Party CAs
+
+To resolve this issue, domain controller certificates need to be updated so the certificate subject contains directory path of the server object (distinguished name).
+Example Subject: CN=DC1 OU=Domain Controller, DC=ad, DC=contoso, DC=com
+
+Alternatively, you can set the subject alternative name (SAN) of the domain controller certificate to contain the server object's fully qualified domain name and the NETBIOS name of the domain.
+Example Subject Alternative Name:
+dns=dc1.ad.contoso.com
+dns=ad.contoso.com
+dns=ad
+
## Key Trust Authentication Broken for Windows Server 2019
Applies to:
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
deleted file mode 100644
index d35d4dea64..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Windows Hello for Business Features
-description: Consider additional features you can use after your organization deploys Windows Hello for Business.
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-ms.reviewer:
-keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 11/27/2019
----
-# Windows Hello for Business Features
-
-**Applies to:**
-
-- Windows 10
-
-Consider these additional features you can use after your organization deploys Windows Hello for Business.
-
-## Conditional access
-
-Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md).
-
-## Dynamic lock
-
-Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md).
-
-## PIN reset
-
-Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md).
-
-## Dual Enrollment
-
-This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md).
-
-## Remote Desktop
-
-Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md).
-
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
deleted file mode 100644
index 0e03beb9e3..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: How Windows Hello for Business works - Technical Deep Dive
-description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Technical Deep Dive
-
-**Applies to:**
-- Windows 10
-
-Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
-- [Registration](#registration)
-- [Provisioning](#provisioning)
-- [Authentication](#authentication)
-
-## Registration
-
-Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
-
-[How Device Registration Works](hello-how-it-works-device-registration.md)
-
-
-## Provisioning
-
-Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
-For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
-Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page.
-
-[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md)
-
-## Authentication
-
-Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
-
-[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 528c1b6fe8..c9844c3d80 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -19,29 +19,46 @@ ms.reviewer:
**Applies to**
-- Windows 10
+- Windows 10
-Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
+Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
## Technical Deep Dive
-Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
+Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
+### Device Registration
+
+Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
+
+For more information read [how device registration works](hello-how-it-works-device-registration.md).
+
+### Provisioning
+
+Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
+
+For more information read [how provisioning works](hello-how-it-works-provisioning.md).
+
+### Authentication
+
+With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
+
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
-- [Technology and Terminology](hello-how-it-works-technology.md)
-- [Device Registration](hello-how-it-works-device-registration.md)
-- [Provisioning](hello-how-it-works-provisioning.md)
-- [Authentication](hello-how-it-works-authentication.md)
+For more information read [how authentication works](hello-how-it-works-authentication.md).
## Related topics
+- [Technology and Terminology](hello-how-it-works-technology.md)
- [Windows Hello for Business](hello-identity-verification.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 4d3512719a..d53a57bff1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,6 +1,6 @@
---
-title: Windows Hello for Business (Windows 10)
-description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices.
+title: Windows Hello for Business Deployment Prerequisite Overview
+description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
ms.reviewer:
keywords: identity, PIN, biometric, Hello, passport
@@ -15,29 +15,14 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 05/05/2018
+ms.date: 1/22/2021
---
-# Windows Hello for Business
+# Windows Hello for Business Deployment Prerequisite Overview
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
+This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
-Windows Hello addresses the following problems with passwords:
-
-- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
-- Server breaches can expose symmetric network credentials (passwords).
-- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
-
-> | | | |
-> | :---: | :---: | :---: |
-> | [](hello-overview.md)[Overview](hello-overview.md) | [](hello-why-pin-is-better-than-password.md)[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [](hello-manage-in-organization.md)[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
-
-
-## Prerequisites
-
-### Cloud Only Deployment
+## Cloud Only Deployment
* Windows 10, version 1511 or later
* Microsoft Azure Account
@@ -46,9 +31,9 @@ Windows Hello addresses the following problems with passwords:
* Modern Management (Intune or supported third-party MDM), *optional*
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
-### Hybrid Deployments
+## Hybrid Deployments
-The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
+The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Key trustGroup Policy managed | Certificate trustMixed managed | Key trustModern managed | Certificate trustModern managed |
| --- | --- | --- | --- |
@@ -76,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-### On-premises Deployments
+## On-premises Deployments
The table shows the minimum requirements for each deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 265aa7219d..57805caf8b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -19,13 +19,15 @@ ms.reviewer:
# Planning a Windows Hello for Business Deployment
**Applies to**
-- Windows 10
+
+- Windows 10
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
-If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
+> [!Note]
+>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
## Using this guide
@@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on
Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are:
-* Deployment Options
-* Client
-* Management
-* Active Directory
-* Public Key Infrastructure
-* Cloud
+
+- Deployment Options
+- Client
+- Management
+- Active Directory
+- Public Key Infrastructure
+- Cloud
### Baseline Prerequisites
@@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza
There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
##### Cloud only
+
The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure.
##### Hybrid
+
The hybrid deployment model is for organizations that:
-* Are federated with Azure Active Directory
-* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
-* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+
+- Are federated with Azure Active Directory
+- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
+- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
> [!Important]
> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
@@ -154,7 +160,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
### Cloud
-Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional.
+Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
## Planning a Deployment
@@ -332,7 +338,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H
If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication).
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing).
If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature.
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
new file mode 100644
index 0000000000..4282b8e701
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -0,0 +1,110 @@
+### YamlMime:Landing
+
+title: Windows Hello for Business documentation
+summary: Learn how to manage and deploy Windows Hello for Business.
+
+metadata:
+ title: Windows Hello for Business documentation
+ description: Learn how to manage and deploy Windows Hello for Business.
+ ms.prod: w10
+ ms.topic: landing-page
+ author: mapalko
+ manager: dansimp
+ ms.author: mapalko
+ ms.date: 01/22/2021
+ ms.collection: M365-identity-device-management
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: About Windows Hello For Business
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows Hello for Business Overview
+ url: hello-overview.md
+ - linkListType: concept
+ links:
+ - text: Passwordless Strategy
+ url: passwordless-strategy.md
+ - text: Why a PIN is better than a password
+ url: hello-why-pin-is-better-than-password.md
+ - text: Windows Hello biometrics in the enterprise
+ url: hello-biometrics-in-enterprise.md
+ - text: How Windows Hello for Business works
+ url: hello-how-it-works.md
+ - linkListType: learn
+ links:
+ - text: Technical Deep Dive - Device Registration
+ url: hello-how-it-works-device-registration.md
+ - text: Technical Deep Dive - Provisioning
+ url: hello-how-it-works-provisioning.md
+ - text: Technical Deep Dive - Authentication
+ url: hello-how-it-works-authentication.md
+ - text: Technology and Terminology
+ url: hello-how-it-works-technology.md
+ - text: Frequently Asked Questions (FAQ)
+ url: hello-faq.yml
+
+ # Card
+ - title: Configure and manage Windows Hello for Business
+ linkLists:
+ - linkListType: concept
+ links:
+ - text: Windows Hello for Business Deployment Overview
+ url: hello-deployment-guide.md
+ - text: Planning a Windows Hello for Business Deployment
+ url: hello-planning-guide.md
+ - text: Deployment Prerequisite Overview
+ url: hello-identity-verification.md
+ - linkListType: how-to-guide
+ links:
+ - text: Hybrid Azure AD Joined Key Trust Deployment
+ url: hello-hybrid-key-trust.md
+ - text: Hybrid Azure AD Joined Certificate Trust Deployment
+ url: hello-hybrid-cert-trust.md
+ - text: On-premises SSO for Azure AD Joined Devices
+ url: hello-hybrid-aadj-sso.md
+ - text: On-premises Key Trust Deployment
+ url: hello-deployment-key-trust.md
+ - text: On-premises Certificate Trust Deployment
+ url: hello-deployment-cert-trust.md
+ - linkListType: learn
+ links:
+ - text: Manage Windows Hello for Business in your organization
+ url: hello-manage-in-organization.md
+ - text: Windows Hello and password changes
+ url: hello-and-password-changes.md
+ - text: Prepare people to use Windows Hello
+ url: hello-prepare-people-to-use.md
+
+ # Card
+ - title: Windows Hello for Business Features
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Conditional Access
+ url: hello-feature-conditional-access.md
+ - text: PIN Reset
+ url: hello-feature-pin-reset.md
+ - text: Dual Enrollment
+ url: hello-feature-dual-enrollment.md
+ - text: Dynamic Lock
+ url: hello-feature-dynamic-lock.md
+ - text: Multi-factor Unlock
+ url: feature-multifactor-unlock.md
+ - text: Remote Desktop
+ url: hello-feature-remote-desktop.md
+
+ # Card
+ - title: Windows Hello for Business Troubleshooting
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Known Deployment Issues
+ url: hello-deployment-issues.md
+ - text: Errors During PIN Creation
+ url: hello-errors-during-pin-creation.md
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
deleted file mode 100644
index b046ac97ee..0000000000
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ /dev/null
@@ -1,72 +0,0 @@
-# [Windows Hello for Business](hello-identity-verification.md)
-
-## [Password-less Strategy](passwordless-strategy.md)
-
-## [Windows Hello for Business Overview](hello-overview.md)
-## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
-## [Windows Hello for Business Features](hello-features.md)
-### [Conditional Access](hello-feature-conditional-access.md)
-### [Dual Enrollment](hello-feature-dual-enrollment.md)
-### [Dynamic Lock](hello-feature-dynamic-lock.md)
-### [Multifactor Unlock](feature-multifactor-unlock.md)
-### [PIN Reset](hello-feature-pin-reset.md)
-### [Remote Desktop](hello-feature-remote-desktop.md)
-
-## [How Windows Hello for Business works](hello-how-it-works.md)
-### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive)
-#### [Device Registration](hello-how-it-works-device-registration.md)
-#### [Provisioning](hello-how-it-works-provisioning.md)
-#### [Authentication](hello-how-it-works-authentication.md)
-#### [Technology and Terminology](hello-how-it-works-technology.md)
-
-## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)
-
-## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-
-## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
-
-### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
-#### [Prerequisites](hello-hybrid-key-trust-prereqs.md)
-#### [New Installation Baseline](hello-hybrid-key-new-install.md)
-#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
-#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
-#### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
-
-### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-#### [New Installation Baseline](hello-hybrid-cert-new-install.md)
-#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
-#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
-#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
-
-### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md)
-#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
-
-### [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
-#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-#### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
-
-### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
-#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
-
-## [Windows Hello and password changes](hello-and-password-changes.md)
-## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-
-## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.yml)
-### [Windows Hello for Business Videos](hello-videos.md)
-
-## Windows Hello for Business Troubleshooting
-### [Known Deployment Issues](hello-deployment-issues.md)
-### [Errors during PIN creation](hello-errors-during-pin-creation.md)
-### [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
new file mode 100644
index 0000000000..8a29bb7d81
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -0,0 +1,137 @@
+- name: Windows Hello for Business documentation
+ href: index.yml
+- name: Overview
+ items:
+ - name: Windows Hello for Business Overview
+ href: hello-overview.md
+- name: Concepts
+ expanded: true
+ items:
+ - name: Passwordless Strategy
+ href: passwordless-strategy.md
+ - name: Why a PIN is better than a password
+ href: hello-why-pin-is-better-than-password.md
+ - name: Windows Hello biometrics in the enterprise
+ href: hello-biometrics-in-enterprise.md
+ - name: How Windows Hello for Business works
+ href: hello-how-it-works.md
+ - name: Technical Deep Dive
+ items:
+ - name: Device Registration
+ href: hello-how-it-works-device-registration.md
+ - name: Provisioning
+ href: hello-how-it-works-provisioning.md
+ - name: Authentication
+ href: hello-how-it-works-authentication.md
+- name: How-to Guides
+ items:
+ - name: Windows Hello for Business Deployment Overview
+ href: hello-deployment-guide.md
+ - name: Planning a Windows Hello for Business Deployment
+ href: hello-planning-guide.md
+ - name: Deployment Prerequisite Overview
+ href: hello-identity-verification.md
+ - name: Prepare people to use Windows Hello
+ href: hello-prepare-people-to-use.md
+ - name: Deployment Guides
+ items:
+ - name: Hybrid Azure AD Joined Key Trust
+ items:
+ - name: Hybrid Azure AD Joined Key Trust Deployment
+ href: hello-hybrid-key-trust.md
+ - name: Prerequisites
+ href: hello-hybrid-key-trust-prereqs.md
+ - name: New Installation Baseline
+ href: hello-hybrid-key-new-install.md
+ - name: Configure Directory Synchronization
+ href: hello-hybrid-key-trust-dirsync.md
+ - name: Configure Azure Device Registration
+ href: hello-hybrid-key-trust-devreg.md
+ - name: Configure Windows Hello for Business settings
+ href: hello-hybrid-key-whfb-settings.md
+ - name: Sign-in and Provisioning
+ href: hello-hybrid-key-whfb-provision.md
+ - name: Hybrid Azure AD Joined Certificate Trust
+ items:
+ - name: Hybrid Azure AD Joined Certificate Trust Deployment
+ href: hello-hybrid-cert-trust.md
+ - name: Prerequisites
+ href: hello-hybrid-cert-trust-prereqs.md
+ - name: New Installation Baseline
+ href: hello-hybrid-cert-new-install.md
+ - name: Configure Azure Device Registration
+ href: hello-hybrid-cert-trust-devreg.md
+ - name: Configure Windows Hello for Business settings
+ href: hello-hybrid-cert-whfb-settings.md
+ - name: Sign-in and Provisioning
+ href: hello-hybrid-cert-whfb-provision.md
+ - name: On-premises SSO for Azure AD Joined Devices
+ items:
+ - name: On-premises SSO for Azure AD Joined Devices Deployment
+ href: hello-hybrid-aadj-sso.md
+ - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+ href: hello-hybrid-aadj-sso-base.md
+ - name: Using Certificates for AADJ On-premises Single-sign On
+ href: hello-hybrid-aadj-sso-cert.md
+ - name: On-premises Key Trust
+ items:
+ - name: On-premises Key Trust Deployment
+ href: hello-deployment-key-trust.md
+ - name: Validate Active Directory Prerequisites
+ href: hello-key-trust-validate-ad-prereq.md
+ - name: Validate and Configure Public Key Infrastructure
+ href: hello-key-trust-validate-pki.md
+ - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ href: hello-key-trust-adfs.md
+ - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ href: hello-key-trust-validate-deploy-mfa.md
+ - name: Configure Windows Hello for Business policy settings
+ href: hello-key-trust-policy-settings.md
+ - name: On-premises Certificate Trust
+ items:
+ - name: On-premises Certificate Trust Deployment
+ href: hello-deployment-cert-trust.md
+ - name: Validate Active Directory Prerequisites
+ href: hello-cert-trust-validate-ad-prereq.md
+ - name: Validate and Configure Public Key Infrastructure
+ href: hello-cert-trust-validate-pki.md
+ - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ href: hello-cert-trust-adfs.md
+ - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ href: hello-cert-trust-validate-deploy-mfa.md
+ - name: Configure Windows Hello for Business policy settings
+ href: hello-cert-trust-policy-settings.md
+ - name: Managing Windows Hello for Business in your organization
+ href: hello-manage-in-organization.md
+ - name: Windows Hello for Business Features
+ items:
+ - name: Conditional Access
+ href: hello-feature-conditional-access.md
+ - name: PIN Reset
+ href: hello-feature-pin-reset.md
+ - name: Dual Enrollment
+ href: hello-feature-dual-enrollment.md
+ - name: Dynamic Lock
+ href: hello-feature-dynamic-lock.md
+ - name: Multi-factor Unlock
+ href: feature-multifactor-unlock.md
+ - name: Remote Desktop
+ href: hello-feature-remote-desktop.md
+ - name: Troubleshooting
+ items:
+ - name: Known Deployment Issues
+ href: hello-deployment-issues.md
+ - name: Errors During PIN Creation
+ href: hello-errors-during-pin-creation.md
+ - name: Event ID 300 - Windows Hello successfully created
+ href: hello-event-300.md
+ - name: Windows Hello and password changes
+ href: hello-and-password-changes.md
+- name: Reference
+ items:
+ - name: Technology and Terminology
+ href: hello-how-it-works-technology.md
+ - name: Frequently Asked Questions (FAQ)
+ href: hello-faq.yml
+ - name: Windows Hello for Business videos
+ href: hello-videos.md
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index f57abc302f..dd87cded73 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index f36275b6ba..19f213f47f 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -444,7 +444,7 @@ To stop Windows from automatically blocking these connections, you can add the `
For example:
```console
-URL <,proxy>|URL <,proxy>/*AppCompat*/
+URL <,proxy>|URL <,proxy>|/*AppCompat*/
```
When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index eb25f0556d..bf2e926154 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
+|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 4fd85c48d2..805b02475c 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -114,6 +114,7 @@
##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
+##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md)
##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md )
#### [Network protection]()
@@ -175,7 +176,6 @@
###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
@@ -478,6 +478,7 @@
#### [General]()
##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
+##### [Configure vulnerability notifications](microsoft-defender-atp/configure-vulnerability-email-notifications.md)
##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
#### [Permissions]()
@@ -508,6 +509,8 @@
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
+### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
+
### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md)
## Reference
@@ -524,6 +527,7 @@
##### [Microsoft Defender for Endpoint APIs Schema]()
###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md)
+###### [Release Notes](microsoft-defender-atp/api-release-notes.md)
###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
@@ -550,6 +554,7 @@
####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
+####### [Find machines by tag](microsoft-defender-atp/find-machines-by-tag.md)
####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
####### [Set device value](microsoft-defender-atp/set-device-value.md)
@@ -576,6 +581,7 @@
###### [Indicators]()
####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
+####### [Import Indicators](microsoft-defender-atp/import-ti-indicators.md)
####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index fc1d481a34..f0f08773af 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -20,6 +20,9 @@ ms.technology: mde
# Threat Protection
[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
> [!TIP]
> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
deleted file mode 100644
index 099dbc450f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: What to do with false positives/negatives in Microsoft Defender Antivirus
-description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do.
-keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 06/08/2020
-ms.reviewer: shwetaj
-manager: dansimp
-audience: ITPro
-ms.topic: article
-ms.technology: mde
----
-
-# What to do with false positives/negatives in Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
-
-What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can:
-- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis)
-- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring)
-- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned)
-
-## Submit a file to Microsoft for analysis
-
-1. Review the [submission guidelines](../intelligence/submission-guide.md).
-2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
-
-> [!TIP]
-> We recommend signing in at the submission portal so you can track the results of your submissions.
-
-## Create an "Allow" indicator to prevent a false positive from recurring
-
-If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender for Endpoint) that the item is safe.
-
-To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
-
-## Define an exclusion on an individual Windows device to prevent an item from being scanned
-
-When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item.
-
-1. On your Windows 10 device, open the Windows Security app.
-2. Select **Virus & threat protection** > **Virus & threat protection settings**.
-3. Under **Exclusions**, select **Add or remove exclusions**.
-4. Select **+ Add an exclusion**, and specify its type (**File**, **Folder**, **File type**, or **Process**).
-
-The following table summarizes exclusion types, how they're defined, and what happens when they're in effect.
-
-|Exclusion type |Defined by |What happens |
-|---------|---------|---------|
-|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. |
-|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
-|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
-|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-
-To learn more, see:
-- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
-- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
-
-## Related articles
-
-[What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
-
-[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index dc721c7813..f56820cf7f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
-ms.date: 01/08/2021
+ms.date: 02/03/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
@@ -62,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium
### Blocking URLs with Microsoft Defender SmartScreen
-In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs.
+In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft
Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
-Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings.
+Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
## Microsoft Defender Antivirus
@@ -87,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi
You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true).
-You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log.
+You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.
> [!TIP]
> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action.
@@ -112,21 +112,13 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
#### Use Group Policy to configure PUA protection
1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
-
2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
-
3. Select the Group Policy Object you want to configure, and then choose **Edit**.
-
4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-
5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
-
6. Double-click **Configure detection for potentially unwanted applications**.
-
7. Select **Enabled** to enable PUA protection.
-
-8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**.
-
+8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**.
9. Deploy your Group Policy object as you usually do.
#### Use PowerShell cmdlets to configure PUA protection
@@ -134,31 +126,49 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
##### To enable PUA protection
```PowerShell
-Set-MpPreference -PUAProtection enable
+Set-MpPreference -PUAProtection Enabled
```
-Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled.
+
+Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled.
##### To set PUA protection to audit mode
```PowerShell
-Set-MpPreference -PUAProtection auditmode
+Set-MpPreference -PUAProtection AuditMode
```
-Setting `AuditMode` will detect PUAs without blocking them.
+
+Setting `AuditMode` detects PUAs without blocking them.
##### To disable PUA protection
We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
```PowerShell
-Set-MpPreference -PUAProtection disable
+Set-MpPreference -PUAProtection Disabled
```
-Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled.
+
+Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### View PUA events
-PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune.
+PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:
+
+```console
+CategoryID : 27
+DidThreatExecute : False
+IsActive : False
+Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/
+ fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}
+RollupStatus : 33
+SchemaVersion : 1.0.0.0
+SeverityID : 1
+ThreatID : 213927
+ThreatName : PUA:Win32/InstallCore
+TypeID : 0
+PSComputerName :
+```
You can turn on email notifications to receive mail about PUA detections.
@@ -166,11 +176,11 @@ See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for d
### Allow-listing apps
-Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed.
+Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed.
For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions).
-## Related articles
+## See also
- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md)
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 5cb7faf5e7..54f1f4fd7d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender Antivirus compatibility with other security products
-description: Get an overview of what to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using.
-keywords: windows defender, next-generation, atp, advanced threat protection, compatibility, passive mode
+description: What to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using.
+keywords: windows defender, next-generation, antivirus, compatibility, passive mode
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: m365-security
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: tewchen, pahuijbr, shwjha
manager: dansimp
-ms.date: 01/11/2021
+ms.date: 01/27/2021
ms.technology: mde
---
@@ -34,23 +34,23 @@ Microsoft Defender Antivirus is automatically enabled and installed on endpoints
## Antivirus and Microsoft Defender for Endpoint
-The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint.
+The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint.
| Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state |
|------|------|-------|-------|
| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode |
| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows 10 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be set to passive mode (manually)[[1](#fn1)] |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode [[1](#fn1)] |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be set to passive mode (manually) [[1](#fn1)] |
| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode |
| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually)[[2](#fn2)] |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually)[[2](#fn2)] |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) [[2](#fn2)] |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) [[2](#fn2)] |
(1) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server.
@@ -76,25 +76,36 @@ See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antiviru
## Functionality and features available in each state
-The table in this section summarizes the functionality and features that are available in each state.
+The table in this section summarizes the functionality and features that are available in each state. The table is designed to be informational only. It is intended to describe the features & capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, in passive mode, or is disabled/uninstalled.
> [!IMPORTANT]
-> The following table is informational, and it is designed to describe the features & capabilities that are turned on or off according to whether Microsoft Defender Antivirus is in Active mode, in Passive mode, or disabled/uninstalled. Do not turn off capabilities, such as real-time protection, if you are using Microsoft Defender Antivirus in passive mode or are using EDR in block mode.
+> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode.
-|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
-|--|--|--|--|--|--|
-|Active mode
|Yes |No |Yes |Yes |Yes |
-|Passive mode |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
-|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes |
-|Automatic disabled mode |No |Yes |No |No |No |
+|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled |
+|:---|:---|:---|:---|:---|
+| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No |
+| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes |
+| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
+| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No |
+| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
-- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
-- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
-- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
-- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
+(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+
+(4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
+
+> [!NOTE]
+> [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode.
## Keep the following points in mind
+- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
+
+- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
+
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
+
+- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
+
- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
@@ -104,13 +115,14 @@ The table in this section summarizes the functionality and features that are ava
If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically.
> [!WARNING]
-> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
## See also
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
+- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md)
- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
- [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
+- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 9f31a06bdd..84ae3ac222 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 12/17/2020
+ms.date: 01/27/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -53,3 +53,4 @@ Application Guard has been created to target several types of devices:
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
+|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
index e63643ed0a..1f03573655 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@@ -24,8 +24,6 @@ ms.technology: mde
Applies to:
- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
-> [!IMPORTANT]
-> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
> [!WARNING]
> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index c9987f3a99..2a992e5e4f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -90,9 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin
Here is an example of a request that adds machine tag.
-```http
+```
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
-Content-type: application/json
+```
+
+```json
{
"Value" : "test Tag 2",
"Action": "Add"
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index f6b1666c6c..da475d40a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -69,45 +69,145 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib
category| String | Category of the alert.
detectionSource | String | Detection source.
threatFamilyName | String | Threat family.
+threatName | String | Threat name.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
computerDnsName | String | [machine](machine.md) fully qualified name.
aadTenantId | String | The Azure Active Directory ID.
-comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
+detectorId | String | The ID of the detector that triggered the alert.
+comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
+Evidence | List of Alert evidence | Evidence related to the alert. See example below.
### Response example for getting single alert:
-```
-GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499
+```http
+GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
```
```json
{
- "id": "da637084217856368682_-292920499",
- "incidentId": 66860,
- "investigationId": 4416234,
- "investigationState": "Running",
- "assignedTo": "secop@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "detectionSource": "WindowsDefenderAtp",
- "category": "CommandAndControl",
- "threatFamilyName": null,
- "title": "Network connection to a risky host",
- "description": "A network connection was made to a risky host which has exhibited malicious activity.",
- "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
- "firstEventTime": "2019-11-03T23:47:16.2288822Z",
- "lastEventTime": "2019-11-03T23:47:51.2966758Z",
- "lastUpdateTime": "2019-11-03T23:55:52.6Z",
- "resolvedTime": null,
- "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
- "comments": [
- {
- "comment": "test comment for docs",
- "createdBy": "secop@contoso.com",
- "createdTime": "2019-11-05T14:08:37.8404534Z"
- }
- ]
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
+ "assignedTo": null,
+ "severity": "Low",
+ "status": "New",
+ "classification": null,
+ "determination": null,
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
+ "resolvedTime": null,
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
+ "relatedUser": {
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
+ "evidence": [
+ {
+ "entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": null,
+ "sha256": null,
+ "fileName": null,
+ "filePath": null,
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ }
+ ]
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
new file mode 100644
index 0000000000..441c3cbd30
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
@@ -0,0 +1,73 @@
+---
+title: Microsoft Defender for Endpoint API release notes
+description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs.
+keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release
+search.product: eADQiWindows 10XVcnh
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.technology: mde
+---
+
+# Microsoft Defender for Endpoint API release notes
+
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made.
+
+
+### 25.01.2021
+
+
+- Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute.
+
+
+
+### 21.01.2021
+
+
+- Added new API: [Find devices by tag](machine-tags.md).
+- Added new API: [Import Indicators](import-ti-indicators.md).
+
+
+
+### 03.01.2021
+
+
+- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties.
+- Updated [Alert entity](alerts.md): added ***detectorId*** property.
+
+
+
+### 15.12.2020
+
+
+- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).
+
+
+
+### 04.11.2020
+
+
+- Added new API: [Set device value](set-device-value.md).
+- Updated [Device](machine.md) entity: added ***deviceValue*** property.
+
+
+
+### 01.09.2020
+
+
+- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).
+
+
+
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index e929d6e210..0fb359840a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -170,3 +170,6 @@ When you click on the pending actions link, you'll be taken to the Action center
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
+## See also
+
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 4233bcca90..93e3809c2a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -93,5 +93,6 @@ All remediation actions, whether pending or completed, can be viewed in the [Act
## See also
- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
index ee50396e37..dea6142742 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
@@ -81,9 +81,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
-Content-type: application/json
+```
+
+```json
{
"Comment": "Collect forensics due to alert 1234"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 3e1fad5b1a..060c2d575a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -42,6 +42,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr
For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
+
## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
@@ -56,13 +57,13 @@ After completing the onboarding steps using any of the provided options, you'll
> [!NOTE]
-> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
+> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)
You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
-If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support.
+If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support.
In general, you'll need to take the following steps:
1. Fulfill the onboarding requirements outlined in **Before you begin** section.
@@ -98,10 +99,13 @@ Perform the following steps to fulfill the onboarding requirements:
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
- - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
+ - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
+ - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line).
+ - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
+> [!NOTE]
+> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
@@ -140,6 +144,8 @@ You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsof
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
+
+
## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
@@ -179,12 +185,14 @@ Support for Windows Server provides deeper insight into server activities, cover
```sc.exe query Windefend```
- If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
+ If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
+
+
## Integration with Azure Security Center
-Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
+Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
@@ -202,6 +210,7 @@ Data collected by Defender for Endpoint is stored in the geo-location of the ten
> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
+
## Configure and update System Center Endpoint Protection clients
@@ -212,7 +221,7 @@ The following steps are required to enable this integration:
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
-
+
## Offboard Windows servers
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
@@ -264,6 +273,9 @@ To offboard the Windows server, you can use either of the following methods:
$AgentCfg.ReloadConfiguration()
```
+
+
+
## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard non-Windows devices](configure-endpoints-non-windows.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md
new file mode 100644
index 0000000000..5c24aa1ae7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md
@@ -0,0 +1,93 @@
+---
+title: Configure vulnerability email notifications in Microsoft Defender for Endpoint
+description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events.
+keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure vulnerability email notifications in Microsoft Defender for Endpoint
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
+
+Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Defender for Endpoint's [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) capability.
+
+> [!NOTE]
+> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md)
+
+The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added.
+
+If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule.
+Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
+
+The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability.
+
+## Create rules for alert notifications
+
+Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.
+
+1. In the navigation pane, go to **Settings** > **Email notifications** > **Vulnerabilities**.
+
+2. Select **Add notification rule**.
+
+3. Name the email notification rule and include a description.
+
+4. Check **Notification enabled** to activate the notification. Select **Next**
+
+5. Fill in the notification settings. Then select **Next**
+
+ - Choose device groups to get notifications for.
+ - Choose the vulnerability event(s) that you want to be notified about when they affect your organization.
+ - Options: new vulnerability found (including severity threshold), new public exploit, exploit added to an exploit kit, exploit was verified.
+ - Include organization name if you want the organization name in the email
+
+6. Enter the recipient email address then select **Add**. You can add multiple email addresses.
+
+7. Review the settings for the new email notification rule and select **Create rule** when you're ready to create it.
+
+## Edit a notification rule
+
+1. Select the notification rule you'd like to edit.
+
+2. Select the **Edit rule** button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule.
+
+## Delete notification rule
+
+1. Select the notification rule you'd like to delete.
+
+2. Select the **Delete** button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule.
+
+## Troubleshoot email notifications for alerts
+
+This section lists various issues that you may encounter when using email notifications for alerts.
+
+**Problem:** Intended recipients report they are not getting the notifications.
+
+**Solution:** Make sure that the notifications are not blocked by email filters:
+
+1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk.
+2. Check that your email security product is not blocking the email notifications from Defender for Endpoint.
+3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.
+
+## Related topics
+
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index f193b2eca8..5d79d2db3f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -1,5 +1,5 @@
---
-title: Prevent ransomware and threats from encrypting and changing files
+title: Protect important folders from ransomware from encrypting your files with controlled folder access
description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
audience: ITPro
-ms.date: 12/17/2020
+ms.date: 02/03/2021
ms.reviewer: v-maave
manager: dansimp
ms.custom: asr
@@ -35,6 +35,9 @@ Controlled folder access helps protect your valuable data from malicious apps an
Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+> [!TIP]
+> Controlled folder access blocks don't generate alerts in the [Alerts queue](../microsoft-defender-atp/alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](../microsoft-defender-atp/investigate-machines.md), while using [advanced hunting](../microsoft-defender-atp/advanced-hunting-overview.md), or with [custom detection rules](../microsoft-defender-atp/custom-detection-rules.md).
+
## How does controlled folder access work?
Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
@@ -43,7 +46,7 @@ Controlled folder access works with a list of trusted apps. If an app is include
Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
-Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console.
+Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console.
## Why controlled folder access is important
@@ -117,17 +120,11 @@ The following table shows events related to controlled folder access:
You can use the Windows Security app to view the list of folders that are protected by controlled folder access.
1. On your Windows 10 device, open the Windows Security app.
-
2. Select **Virus & threat protection**.
-
3. Under **Ransomware protection**, select **Manage ransomware protection**.
-
4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**.
-
5. Do one of the following steps:
-
- To add a folder, select **+ Add a protected folder**.
-
- To remove a folder, select it, and then select **Remove**.
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index ac6a1ed6be..91a38d3f42 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -96,9 +96,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference
```
+
```json
{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
new file mode 100644
index 0000000000..6a64647a0c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -0,0 +1,364 @@
+---
+title: Address false positives/negatives in Microsoft Defender for Endpoint
+description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint.
+keywords: alert, exclusion, defender atp, false positive, false negative
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.technology: mde
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.date: 01/27/2021
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
+ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola
+ms.custom: FPFN
+---
+
+# Address false positives/negatives in Microsoft Defender for Endpoint
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
+
+In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
+
+
+
+Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process:
+
+1. [Review and classify alerts](#part-1-review-and-classify-alerts)
+2. [Review remediation actions that were taken](#part-2-review-remediation-actions)
+3. [Review and define exclusions](#part-3-review-or-define-exclusions)
+4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis)
+5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
+
+And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article.
+
+
+
+> [!NOTE]
+> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md).
+
+## Part 1: Review and classify alerts
+
+If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
+
+Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
+
+### Determine whether an alert is accurate
+
+Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign.
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+2. In the navigation pane, choose **Alerts queue**.
+3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
+4. Depending on the alert status, take the steps described in the following table:
+
+| Alert status | What to do |
+|:---|:---|
+| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. |
+| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). |
+| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
+
+### Classify an alert
+
+Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts.
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+2. Select **Alerts queue**, and then select an alert.
+3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.
+4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.)
+
+> [!TIP]
+> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
+
+### Suppress an alert
+
+If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard.
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+2. In the navigation pane, select **Alerts queue**.
+3. Select an alert that you want to suppress to open its **Details** pane.
+4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**.
+5. Specify all the settings for your suppression rule, and then choose **Save**.
+
+> [!TIP]
+> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule).
+
+## Part 2: Review remediation actions
+
+[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus:
+- Quarantine a file
+- Remove a registry key
+- Kill a process
+- Stop a service
+- Disable a driver
+- Remove a scheduled task
+
+Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through [Live Response](live-response.md). Actions taken through Live Response cannot be undone.
+
+After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can:
+- [Undo one action at a time](#undo-an-action);
+- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time); and
+- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices).
+
+When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions).
+
+### Review completed actions
+
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. Select the **History** tab to view a list of actions that were taken.
+3. Select an item to view more details about the remediation action that was taken.
+
+### Undo an action
+
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. On the **History** tab, select an action that you want to undo.
+3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).)
+
+### Undo multiple actions at one time
+
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. On the **History** tab, select the actions that you want to undo.
+3. In the pane on the right side of the screen, select **Undo**.
+
+### Remove a file from quarantine across multiple devices
+
+
+
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. On the **History** tab, select a file that has the Action type **Quarantine file**.
+3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
+
+## Part 3: Review or define exclusions
+
+An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
+
+To define exclusions across Microsoft Defender for Endpoint, perform the following tasks:
+- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)
+- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint)
+
+> [!NOTE]
+> Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) for Microsoft Defender for Endpoint.
+
+The procedures in this section describe how to define exclusions and indicators.
+
+### Exclusions for Microsoft Defender Antivirus
+
+In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
+
+> [!TIP]
+> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus).
+
+#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies)
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).
+3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.
+4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions.
+5. Choose **Review + save**, and then choose **Save**.
+
+#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**.
+3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**).
+4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**.
+5. Specify a name and description for the profile, and then choose **Next**.
+6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**.
+7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).)
+8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
+9. On the **Review + create** tab, review the settings, and then choose **Create**.
+
+### Indicators for Microsoft Defender for Endpoint
+
+[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
+
+To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
+
+"Allow" indicators can be created for:
+
+- [Files](#indicators-for-files)
+- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
+- [Application certificates](#indicators-for-application-certificates)
+
+
+
+#### Indicators for files
+
+When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
+
+Before you create indicators for files, make sure the following requirements are met:
+- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
+- Antimalware client version is 4.18.1901.x or later
+- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
+- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features)
+
+#### Indicators for IP addresses, URLs, or domains
+
+When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked.
+
+Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met:
+- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))
+- Antimalware client version is 4.18.1906.x or later
+- Devices are running Windows 10, version 1709, or later
+
+Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features))
+
+#### Indicators for application certificates
+
+When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
+
+Before you create indicators for application certificates, make sure the following requirements are met:
+- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
+- Antimalware client version is 4.18.1901.x or later
+- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
+- Virus and threat protection definitions are up to date
+
+> [!TIP]
+> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
+
+## Part 4: Submit a file for analysis
+
+You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and their results help inform Microsoft Defender for Endpoint threat protection capabilities. When you sign in at the submission site, you can track your submissions.
+
+### Submit a file for analysis
+
+If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis.
+
+1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s).
+
+### Submit a fileless detection for analysis
+
+If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10.
+
+1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator.
+2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**.
+ A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
+3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files.
+
+### What happens after a file is submitted?
+
+Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It’s possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly.
+
+For submissions that were not already processed, they are prioritized for analysis as follows:
+
+- Prevalent files with the potential to impact large numbers of computers are given a higher priority.
+- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority.
+- Submissions flagged as high priority by SAID holders are given immediate attention.
+
+To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission).
+
+> [!TIP]
+> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions).
+
+## Part 5: Review and adjust your threat protection settings
+
+Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to:
+
+- [Cloud-delivered protection](#cloud-delivered-protection)
+- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications)
+- [Automated investigation and remediation](#automated-investigation-and-remediation)
+
+### Cloud-delivered protection
+
+Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives.
+
+> [!TIP]
+> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
+
+We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings.
+
+We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
+
+#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies)
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)).
+3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
+4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting cloud-delivered protection to **Not configured**, which provides strong protection while reducing the chances of getting false positives.
+5. Choose **Review + save**, and then **Save**.
+
+#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy)
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**.
+3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**.
+4. On the **Basics** tab, specify a name and description for the policy. Then choose **Next**.
+5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings:
+ - Set **Turn on cloud-delivered protection** to **Yes**.
+ - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.)
+6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).)
+8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
+9. On the **Review + create** tab, review the settings, and then choose **Create**.
+
+### Remediation for potentially unwanted applications
+
+Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation.
+
+> [!TIP]
+> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+
+Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus.
+
+We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set PUA protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
+
+#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles)
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).)
+3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**.
+4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**.
+5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.)
+6. Choose **Review + save**, and then choose **Save**.
+
+#### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile)
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Devices** > **Configuration profiles** > **+ Create profile**.
+3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**.
+4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**.
+5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**.
+6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn off PUA protection, but by using audit mode, you will be able to see detections.)
+7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
+8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**.
+9. On the **Review + create** tab, review your settings, and, and then choose **Create**.
+
+### Automated investigation and remediation
+
+[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
+
+Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team.
+
+- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then
+- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation).
+
+> [!IMPORTANT]
+> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle.
+
+## Still need help?
+
+If you have worked through all the steps in this article and still need help, contact technical support.
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**.
+3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request.
+
+## See also
+
+[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)
+
+[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
index c4921c50f4..127f52cd7a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
@@ -73,6 +73,6 @@ If Indicator with the specified id was not found - 404 Not Found.
Here is an example of the request.
-```
+```http
DELETE https://api.securitycenter.microsoft.com/api/indicators/995
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
index de1ec91182..b5683ec66f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 0304cdd397..75f4bba554 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
-ms.date: 01/07/2021
+ms.date: 01/26/2021
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
@@ -70,7 +70,7 @@ The following image shows an instance of unwanted software that was detected and
|Requirement |Details |
|---------|---------|
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
-|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later |
+|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2019 |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 44d58c8d1e..c34737f912 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -99,7 +99,7 @@ Example:
`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
-`Value: c:\path|e:\path|c:\Whitelisted.exe`
+`Value: c:\path|e:\path|c:\Exclusions.exe`
> [!NOTE]
> Be sure to enter OMA-URI values without spaces.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index ab3344e02c..0d88d39023 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -44,7 +44,7 @@ Not all properties are filterable.
### Example 1
-Get 10 latest Alerts with related Evidence
+Get 10 latest Alerts with related Evidence:
```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
@@ -57,75 +57,51 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637306396589640224_1753239473",
- "incidentId": 875832,
- "investigationId": 478434,
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
- "investigationState": "PendingApproval",
- "detectionSource": "WindowsDefenderAv",
- "category": "UnwantedSoftware",
- "threatFamilyName": "InstallCore",
- "title": "An active 'InstallCore' unwanted software was detected",
- "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
- "firstEventTime": "2020-07-18T03:25:39.6124549Z",
- "lastEventTime": "2020-07-18T03:26:18.4362304Z",
- "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
- "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
- "computerDnsName": "temp2.redmond.corp.microsoft.com",
- "rbacGroupName": "Ring0",
- "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
- "userName": "temp2",
- "domainName": "REDMOND"
- },
- "comments": [],
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
"evidence": [
- {
- "entityType": "File",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
- {
- "entityType": "Process",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": 24348,
- "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
- "processCreationTime": "2020-07-18T03:25:38.5269993Z",
- "parentProcessId": 16840,
- "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
{
"entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
@@ -135,13 +111,74 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
"ipAddress": null,
"url": null,
- "accountName": "temp2",
- "domainName": "REDMOND",
- "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
- "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
- "userPrincipalName": "temp2@microsoft.com"
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
}
]
},
@@ -152,7 +189,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
### Example 2
-Get all the alerts last updated after 2019-11-22 00:00:00
+Get all the alerts last updated after 2019-11-22 00:00:00:
```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
@@ -188,6 +225,12 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
"userName": "temp123",
"domainName": "MIDDLEEAST"
@@ -208,7 +251,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
### Example 3
-Get all the devices with 'High' 'RiskScore'
+Get all the devices with 'High' 'RiskScore':
```http
HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScore+eq+'High'
@@ -221,25 +264,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
"healthStatus": "Active",
- "rbacGroupId": 140,
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "High",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
@@ -247,7 +304,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor
### Example 4
-Get top 100 devices with 'HealthStatus' not equals to 'Active'
+Get top 100 devices with 'HealthStatus' not equals to 'Active':
```http
HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
@@ -260,25 +317,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "ImpairedCommunication",
- "rbacGroupId": 140,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
@@ -286,7 +357,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt
### Example 5
-Get all the devices that last seen after 2018-10-20
+Get all the devices that last seen after 2018-10-20:
```http
HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen gt 2018-08-01Z
@@ -299,25 +370,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "ImpairedCommunication",
- "rbacGroupId": 140,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
@@ -325,7 +410,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen
### Example 6
-Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint
+Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint:
```http
HTTP GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
@@ -384,25 +469,39 @@ json{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "ImpairedCommunication",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
+ "osPlatform": "Windows10",
+ "osProcessor": "x64",
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
+ "rbacGroupName": "The-A-Team",
+ "riskScore": "Low",
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
deleted file mode 100644
index b00bf9017d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Find device information by internal IP API
-description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP.
-keywords: ip, apis, graph api, supported apis, find device, device information
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Find device information by internal IP API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-Find a device by internal IP.
-
->[!NOTE]
->The timestamp must be within the last 30 days.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-
-## HTTP request
-```
-GET /api/machines/find(timestamp={time},key={IP})
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and machine exists - 200 OK.
-If no machine found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-
-The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp.
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
- "value": [
- {
- "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
- "computerDnsName": "",
- "firstSeen": "2017-07-06T01:25:04.9480498Z",
- "osPlatform": "Windows10",
-…
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
index 5a461d731b..d9ebb6559c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
@@ -80,6 +80,6 @@ If the timestamp is not in the past 30 days - 400 Bad Request.
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z)
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
new file mode 100644
index 0000000000..5bb4e7756f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
@@ -0,0 +1,89 @@
+---
+title: Find devices by tag API
+description: Find all devices that contain specifc tag
+keywords: apis, supported apis, get, device, find, find device, by tag, tag
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Find devices by tag API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
+
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
+
+## API description
+Find [Machines](machine.md) by [Tag](machine-tags.md).
+
```startswith``` query is supported.
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.Read.All | 'Read all machine profiles'
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request URI parameters
+
+Name | Type | Description
+:---|:---|:---
+tag | String | The tag name. **Required**.
+useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**.
+
+## Request body
+Empty
+
+## Response
+If successful - 200 OK with list of the machines in the response body.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index 9347365103..c84308bef0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -77,7 +77,7 @@ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains
```
@@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index 80dfa7de59..015b98dba0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -77,7 +77,7 @@ If successful and alert and files exist - 200 OK. If alert not found - 404 Not F
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files
```
@@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
index b241dd2b72..602a1fd1c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
@@ -78,7 +78,7 @@ If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not F
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips
```
@@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index e4850f8d55..4a56186c19 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -56,7 +56,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/alerts/{id}/machine
```
@@ -79,7 +80,7 @@ If successful and alert and device exist - 200 OK. If alert not found or device
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine
```
@@ -88,28 +89,39 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity",
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
+ "osPlatform": "Windows10",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
+ "riskScore": "Low",
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index ea89e7158c..2afbe73739 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -78,7 +78,7 @@ If successful and alert and a user exists - 200 OK with user in the body. If ale
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user
```
@@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
"id": "contoso\\user1",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index 918af17cc7..47af279049 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -88,7 +88,7 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts
```
@@ -128,6 +128,12 @@ Here is an example of the response.
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
"userName": "temp123",
"domainName": "MIDDLEEAST"
@@ -152,7 +158,7 @@ Here is an example of the response.
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
@@ -170,75 +176,51 @@ Here is an example of the response.
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637306396589640224_1753239473",
- "incidentId": 875832,
- "investigationId": 478434,
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
- "investigationState": "PendingApproval",
- "detectionSource": "WindowsDefenderAv",
- "category": "UnwantedSoftware",
- "threatFamilyName": "InstallCore",
- "title": "An active 'InstallCore' unwanted software was detected",
- "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
- "firstEventTime": "2020-07-18T03:25:39.6124549Z",
- "lastEventTime": "2020-07-18T03:26:18.4362304Z",
- "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
- "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
- "computerDnsName": "temp2.redmond.corp.microsoft.com",
- "rbacGroupName": "Ring0",
- "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
- "userName": "temp2",
- "domainName": "REDMOND"
- },
- "comments": [],
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
"evidence": [
- {
- "entityType": "File",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
- {
- "entityType": "Process",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": 24348,
- "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
- "processCreationTime": "2020-07-18T03:25:38.5269993Z",
- "parentProcessId": 16840,
- "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
{
"entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
@@ -248,13 +230,74 @@ Here is an example of the response.
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
"ipAddress": null,
"url": null,
- "accountName": "temp2",
- "domainName": "REDMOND",
- "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
- "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
- "userPrincipalName": "temp2@microsoft.com"
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
}
]
},
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
index 9be5af6b31..6548493ea9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of security recommendati
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
index 73cc542fda..0126da149d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
@@ -72,7 +72,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
index 17f9e97ef1..00ade14700 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Vulnerabilities
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
index 41df827074..3264cc7d76 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
@@ -61,18 +61,15 @@ If successful and map exists - 200 OK.
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/CveKbMap
-Content-type: application/json
```
**Response**
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap",
"@odata.count": 4168,
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
index b18413a57e..2edded89ae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the device secure score data in
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/configurationScore
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
index 773a35d073..760ce4ddb9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -30,8 +30,12 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
+## API description
Retrieves a collection of discovered vulnerabilities related to a given device ID.
+## Limitations
+1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
+
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
@@ -67,7 +71,7 @@ If successful, this method returns 200 OK with the discovered vulnerability info
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
```
@@ -75,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4
Here is an example of the response.
-```
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
index dda241406d..13a3f3f28f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
@@ -62,6 +62,11 @@ Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
+## Request URI parameters
+
+Name | Type | Description
+:---|:---|:---
+lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body
Empty
@@ -76,8 +81,8 @@ If successful and domain exists - 200 OK, with statistics object in the response
Here is an example of the request.
-```
-GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats
+```http
+GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48
```
**Response**
@@ -85,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
"host": "example.com",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
index c06627a36f..0288816bb4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with the exposure data in the respons
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/exposureScore
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
index 736c3298e2..37b4c39da7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
@@ -76,7 +76,7 @@ If successful and file exists - 200 OK with the [file](files.md) entity in the b
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
```
@@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity",
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
index dd23bde922..1ef694df96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
@@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [alert](alerts.md) entities
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
index 981b5352e4..c0de4442c2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
@@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [machine](machine.md) entiti
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index 45c0c7f97f..ab8b12267d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -62,6 +62,11 @@ Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
+## Request URI parameters
+
+Name | Type | Description
+:---|:---|:---
+lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body
Empty
@@ -76,8 +81,8 @@ If successful and file exists - 200 OK with statistical data in the body. If fil
Here is an example of the request.
-```
-GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats
+```http
+GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48
```
**Response**
@@ -85,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
index 1d74c52f25..9effa5d7a6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the installed software informatio
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
index 47662456ae..cca2597b98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
@@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/investigations
Here is an example of the response:
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
index ec0bd5533a..d4f66c71d6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
@@ -79,6 +79,6 @@ If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index e720d2f338..bc04301ab1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -63,6 +63,11 @@ Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
+## Request URI parameters
+
+Name | Type | Description
+:---|:---|:---
+lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body
Empty
@@ -78,7 +83,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no
Here is an example of the request.
```http
-GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
+GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48
```
**Response**
@@ -86,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
Here is an example of the response.
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "10.209.67.177",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
index f108cdfbf6..0eeced010e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
@@ -61,18 +61,15 @@ If successful - 200 OK.
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/KbInfo
-Content-type: application/json
```
**Response**
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo",
"@odata.count": 271,
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index ceac9cc0ed..76dc993182 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -41,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).
Permission type | Permission | Permission display name
:---|:---|:---
@@ -91,29 +91,39 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
Here is an example of the response.
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine",
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
"healthStatus": "Active",
- "rbacGroupId": 140,
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
}
-
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
index f7ea61feb1..6f54986e33 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with a list of exposure score per dev
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index f4730dce02..3e9b901fac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
Here is an example of the response.
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
index 35d7343116..9520bd1379 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
@@ -77,7 +77,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action]
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
```
@@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index 11bd89fa3b..d910d3beda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -82,7 +82,7 @@ If successful, this method returns 200, Ok response code with a collection of [m
Here is an example of the request on an organization that has three MachineActions.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions
```
@@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
index cbcb0e0b06..b2f9da0734 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences
```
@@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi
Here is an example of the response.
```json
-
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
index 35a821c812..bf4208cd36 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index ad2331e5ab..44e815ff37 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -33,9 +33,12 @@ ms.technology: mde
## API description
Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud.
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
-
See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md)
+
+Supports [OData V4 queries](https://www.odata.org/documentation/).
+
+The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
+
+See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md).
## Limitations
@@ -55,8 +58,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information).
+>- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md).
## HTTP request
@@ -92,32 +95,44 @@ GET https://api.securitycenter.microsoft.com/api/machines
Here is an example of the response.
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
"healthStatus": "Active",
- "rbacGroupId": 140,
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
- }
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
index 9565ba0014..9d1e0ef235 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
@@ -60,9 +60,8 @@ If successful - 200 OK.
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
-Content-type: application/json
```
**Response**
@@ -70,9 +69,7 @@ Content-type: application/json
Here is an example of the response.
Field *id* contains device id and equal to the field *id** in devices info.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates",
"@odata.count":444,
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index 9ac01f22cf..d3c13ddae1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -30,7 +30,11 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-Retrieves missing KBs (security updates) by device ID
+## API description
+Retrieves missing KBs (security updates) by device ID.
+
+## Limitations
+1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
## HTTP request
@@ -58,7 +62,7 @@ If successful, this method returns 200 OK, with the specified device missing kb
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
index 4c037b678e..3b53dabe02 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the specified software missing k
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
index ccd17fea22..2683556f81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
@@ -73,19 +73,15 @@ If successful, this method returns 200, Ok response code with object that holds
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
-
```
**Response**
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
index d752962405..5548416186 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the security recommendations in t
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 7d46d6e6fe..fa448849b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of devices associated wi
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
index 4f144b37e3..0fcdc3e55a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the software associated with the
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
index 6c606f3bfc..e4a52ff2a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index 1d2dfe41dd..2581a14cb0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -31,8 +31,12 @@ ms.technology: mde
[!include[Prerelease information](../../includes/prerelease.md)]
+## API description
Retrieves a collection of security recommendations related to a given device ID.
+## Limitations
+1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
+
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
@@ -66,7 +70,7 @@ If successful, this method returns 200 OK with the security recommendations in t
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
```
@@ -75,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4
Here is an example of the response.
-```
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index da3f09fb2d..43ed0055bf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -1,6 +1,6 @@
---
title: Get software by Id
-description: Retrieves a list of exposure scores by device group.
+description: Retrieves a list of sofware by ID.
keywords: apis, graph api, supported apis, get, software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the specified software data in th
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
```
@@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
Here is an example of the response.
```json
-
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity",
"id": "microsoft-_-edge",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
index c707f59ef2..897e0c91a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a list of software distributions
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions
```
@@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr
Here is an example of the response.
```json
-
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
index 95e59d134f..b070207ed0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the software inventory in the bod
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
index 58cb3f78a5..5a5ea5a354 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
@@ -78,7 +78,7 @@ If successful, this method returns 200, Ok response code with a collection of [I
Here is an example of a request that gets all Indicators
-```
+```http
GET https://api.securitycenter.microsoft.com/api/indicators
```
@@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
@@ -141,7 +139,7 @@ Content-type: application/json
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
-```
+```http
GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock'
```
@@ -149,9 +147,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
index 7a7e85e081..d4d47fa618 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
@@ -64,9 +64,8 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body.
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/users/user1
-Content-type: application/json
```
**Response**
@@ -74,9 +73,7 @@ Content-type: application/json
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
"id": "user1",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 7705c00e4b..341e56d35d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -81,6 +81,6 @@ If successful and user exists - 200 OK. If the user does not exist - 404 Not Fou
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/users/user1/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index 7cab2321b4..b91c080c8e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -82,6 +82,6 @@ If successful and user exists - 200 OK with list of [machine](machine.md) entiti
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/users/user1/machines
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
index c60ff31fdb..762572746a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a a list of vulnerabilities expos
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities
```
@@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulne
Here is an example of the response.
```json
-
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
index e8cc9c8257..441ac6bf08 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md
index 2bde8df0d5..972dc7f639 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md
@@ -31,8 +31,16 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers
> [!NOTE]
> If you are a "GCC on Commercial" customer, please refer to the public documentation pages.
-
+## Portal URLs
+The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:
+
+Customer type | Portal URL
+:---|:---
+GCC | https://gcc.securitycenter.microsoft.us
+GCC High | https://securitycenter.microsoft.us
+
+
## Endpoint versions
@@ -63,7 +71,10 @@ Android |  On engineering backlog |  On engineering backlog |  On engineering backlog
> [!NOTE]
-> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
+> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.
+
+> [!NOTE]
+> Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
### OS versions when using Azure Defender for Servers
The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp):
@@ -88,7 +99,6 @@ Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com`
`win
-
## API
Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs:
@@ -100,7 +110,6 @@ SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https:/
-
## Feature parity with commercial
Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight.
@@ -114,18 +123,18 @@ Email notifications |  Rolling out |  |  In development
Management and APIs: Device health and compliance report |  |  In development
Management and APIs: Integration with third-party products |  |  In development
-Management and APIs: Streaming API |  Rolling out |  In development
+Management and APIs: Streaming API |  |  In development
Management and APIs: Threat protection report |  |  In development
Threat & vulnerability management |  |  In development
Threat analytics |  |  In development
Web content filtering |  In development |  In development
-Integrations: Azure Sentinel |  Rolling out |  In development
+Integrations: Azure Sentinel |  |  In development
Integrations: Microsoft Cloud App Security |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Compliance Center |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Defender for Identity |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Defender for Office 365 |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Endpoint DLP |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Intune |  |  In development
-Integrations: Microsoft Power Automate & Azure Logic Apps |  Rolling out |  In development
+Integrations: Microsoft Power Automate & Azure Logic Apps |  |  In development
Integrations: Skype for Business / Teams |  |  In development
Microsoft Threat Experts |  On engineering backlog |  On engineering backlog
diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
index 7d275ab90b..88e26c2252 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
@@ -29,31 +29,33 @@ ms.technology: mde
Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint.
## Endpoint protection platform
-- [Top scoring in industry
+- [Top scoring in industry
tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests)
-- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/)
+- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/)
-- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341)
+- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341)
-- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571)
+- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571)
## Endpoint Detection Response
-- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894)
+- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894)
## Threat Vulnerability Management
-- [Defender for Endpoint Threat & Vulnerability Management now publicly
+- [Defender for Endpoint Threat & Vulnerability Management now publicly
available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977)
## Operational
-- [The Golden Hour remake - Defining metrics for a successful security
+- [The Golden Hour remake - Defining metrics for a successful security
operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014)
-- [Defender for Endpoint Evaluation lab is now available in public preview
+- [Defender for Endpoint Evaluation lab is now available in public preview
](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271)
-- [How automation brings value to your security
+- [How automation brings value to your security
teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
+
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png
new file mode 100644
index 0000000000..e30347f04c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png
new file mode 100644
index 0000000000..c2092639af
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png
new file mode 100644
index 0000000000..85a91de789
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
new file mode 100644
index 0000000000..ae63ad7d4b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
@@ -0,0 +1,142 @@
+---
+title: Import Indicators API
+description: Learn how to use the Import batch of Indicator API in Microsoft Defender Advanced Threat Protection.
+keywords: apis, supported apis, submit, ti, indicator, update
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Import Indicators API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
+
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
+
+## API description
+Submits or Updates batch of [Indicator](ti-indicator.md) entities.
+
CIDR notation for IPs is not supported.
+
+## Limitations
+1. Rate limitations for this API are 30 calls per minute.
+2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant.
+3. Maximum batch size for one API call is 500.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Ti.ReadWrite | 'Read and write Indicators'
+Application | Ti.ReadWrite.All | 'Read and write All Indicators'
+Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
+
+
+## HTTP request
+```
+POST https://api.securitycenter.microsoft.com/api/indicators/import
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indicator.md). **Required**
+
+
+## Response
+- If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below.
+- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```http
+POST https://api.securitycenter.microsoft.com/api/indicators/import
+```
+
+```json
+{
+ "Indicators":
+ [
+ {
+ "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
+ "indicatorType": "FileSha1",
+ "title": "demo",
+ "application": "demo-test",
+ "expirationTime": "2021-12-12T00:00:00Z",
+ "action": "Alert",
+ "severity": "Informational",
+ "description": "demo2",
+ "recommendedActions": "nothing",
+ "rbacGroupNames": ["group1", "group2"]
+ },
+ {
+ "indicatorValue": "2233223322332233223322332233223322332233223322332233223322332222",
+ "indicatorType": "FileSha256",
+ "title": "demo2",
+ "application": "demo-test2",
+ "expirationTime": "2021-12-12T00:00:00Z",
+ "action": "Alert",
+ "severity": "Medium",
+ "description": "demo2",
+ "recommendedActions": "nothing",
+ "rbacGroupNames": []
+ }
+ ]
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "value": [
+ {
+ "id": "2841",
+ "indicator": "220e7d15b011d7fac48f2bd61114db1022197f7f",
+ "isFailed": false,
+ "failureReason": null
+ },
+ {
+ "id": "2842",
+ "indicator": "2233223322332233223322332233223322332233223322332233223322332222",
+ "isFailed": false,
+ "failureReason": null
+ }
+ ]
+}
+```
+
+## Related topic
+- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
index be86647e97..78a28933b4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
@@ -2,7 +2,7 @@
title: Create indicators for files
ms.reviewer:
description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities.
-keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
+keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
@@ -39,7 +39,7 @@ There are two ways you can create indicators for files:
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for files:
-- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
index f238e1f680..2fd5f9cce1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@@ -2,7 +2,7 @@
title: Create indicators for IPs and URLs/domains
ms.reviewer:
description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities.
-keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
+keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
index dfb9ea34c6..5617ebcae7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
@@ -84,9 +84,12 @@ If successful, this method returns 201 - Created response code and [Investigatio
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation
-Content-type: application/json
+```
+
+```json
{
- "Comment": "Test investigation",
+ "Comment": "Test investigation"
}
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
index 6afbbec900..64b309d544 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
@@ -40,7 +40,7 @@ Represent an Automated Investigation entity in Defender for Endpoint.
Method|Return Type |Description
:---|:---|:---
[List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation
-[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity.
+[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity.
[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
index d04735e349..00fc73300c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
@@ -28,40 +28,11 @@ ms.technology: mde
> [!NOTE]
> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-## Configure compliance policy against jailbroken devices
+## Conditional Access with Defender for Endpoint for iOS
+Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies
+based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
-To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune.
-
-> [!NOTE]
-> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
-
-Follow the steps below to create a compliance policy against jailbroken devices.
-
-1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-1. Specify a name of the policy, example "Compliance Policy for Jailbreak".
-1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
-
- > [!div class="mx-imgBorder"]
- > 
-
-1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**.
-1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
-
-## Configure custom indicators
-
-Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators.
-
-> [!NOTE]
-> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
+For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
## Web Protection and VPN
@@ -79,10 +50,46 @@ While enabled by default, there might be some cases that require you to disable
> [!NOTE]
> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
-### Co-existence of multiple VPN profiles
+## Co-existence of multiple VPN profiles
Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
+
+## Configure compliance policy against jailbroken devices
+
+To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune.
+
+> [!NOTE]
+> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
+
+Follow the steps below to create a compliance policy against jailbroken devices.
+
+1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+2. Specify a name of the policy, for example "Compliance Policy for Jailbreak".
+3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+4. In the *Action for noncompliance* section, select the actions as per your requirements and select **Next**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+5. In the *Assignments* section, select the user groups that you want to include for this policy and then select **Next**.
+6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
+
+## Configure custom indicators
+
+Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
+
+> [!NOTE]
+> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
+
## Report unsafe site
Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index 00d02c3bfe..15f0c9b691 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -90,13 +90,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```console
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
-Content-type: application/json
+```
+
+```json
{
"Comment": "Isolate machine due to alert 1234",
- “IsolationType”: “Full”
+ "IsolationType": "Full"
}
```
-- To unisolate a device, see [Release device from isolation](unisolate-machine.md).
+- To release a device from isolation, see [Release device from isolation](unisolate-machine.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index 904279814f..375f715a8e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -116,7 +116,7 @@ To complete this process, you must have admin privileges on the device.
The client device is not associated with orgId. Note that the *orgId* attribute is blank.
```bash
- mdatp --health orgId
+ mdatp health --field org_id
```
2. Run the Python script to install the configuration file:
@@ -128,7 +128,7 @@ To complete this process, you must have admin privileges on the device.
3. Verify that the device is now associated with your organization and reports a valid *orgId*:
```bash
- mdatp --health orgId
+ mdatp health --field org_id
```
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
index 3b011e3606..73dc882a2c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
@@ -20,7 +20,7 @@ ms.topic: conceptual
ms.technology: mde
---
-# Set up Microsoft c for macOS device groups in Jamf Pro
+# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
index bf4e6038cc..780f0d40dd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -751,18 +751,14 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
-4. Navigate to **Advanced Computer Searches**.
-
- 
-
-5. Select **Computer Management**.
+4. Select your computer and click the gear icon at the top, then select **Computer Management**.
-6. In **Packages**, select **+ New**.
+5. In **Packages**, select **+ New**.
-7. In **New Package** Enter the following details:
+6. In **New Package** Enter the following details:
**General tab**
- Display Name: Leave it blank for now. Because it will be reset when you choose your pkg.
@@ -775,15 +771,17 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
-8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
+7. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
+ **Manifest File** is not required. Microsoft Defender Advanced Threat Protection works without Manifest File.
+
**Options tab**
Keep default values.
**Limitations tab**
Keep default values.
-9. Select **Save**. The package is uploaded to Jamf Pro.
+8. Select **Save**. The package is uploaded to Jamf Pro.
@@ -791,45 +789,45 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
-10. Navigate to the **Policies** page.
+9. Navigate to the **Policies** page.
-11. Select **+ New** to create a new policy.
+10. Select **+ New** to create a new policy.
-12. In **General** Enter the following details:
+11. In **General** Enter the following details:
- Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
-13. Select **Recurring Check-in**.
+12. Select **Recurring Check-in**.
-14. Select **Save**.
+13. Select **Save**.
-15. Select **Packages > Configure**.
+14. Select **Packages > Configure**.
-16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
+15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
-17. Select **Save**.
+16. Select **Save**.
-18. Select the **Scope** tab.
+17. Select the **Scope** tab.
-19. Select the target computers.
+18. Select the target computers.
@@ -845,7 +843,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
-20. Select **Done**.
+19. Select **Done**.
@@ -854,4 +852,3 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
index a83bc01f7a..37371fa8f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
@@ -59,7 +59,7 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
-mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
+mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
```
### Use the management console to configure PUA protection:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index 8ab4ccb54a..227df25707 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -149,7 +149,7 @@ To enable autocompletion in zsh:
## Client Microsoft Defender for Endpoint quarantine directory
-`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
+`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`.
## Microsoft Defender for Endpoint portal information
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
index b7f2649c73..331b7057ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
@@ -47,7 +47,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device.
sh
-c
- /usr/local/bin/mdatp --scan --quick
+ /usr/local/bin/mdatp scan quick
RunAtLoad
@@ -73,7 +73,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device.
2. Save the file as *com.microsoft.wdav.schedquickscan.plist*.
> [!TIP]
- > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
+ > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp scan quick`, to use the `full` option instead of `quick` (i.e. `/usr/local/bin/mdatp scan full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
3. Open **Terminal**.
4. Enter the following commands to load your file:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
index 3cefc80735..8d726d2f36 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
@@ -37,15 +37,15 @@ If you did not approve the kernel extension during the deployment/installation o
-You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
+You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
```bash
-mdatp --health
+mdatp health
```
```Output
...
-realTimeProtectionAvailable : false
-realTimeProtectionEnabled : true
+real_time_protection_enabled : false
+real_time_protection_available : true
...
```
@@ -90,15 +90,15 @@ In this case, you need to perform the following steps to trigger the approval fl
sudo kextutil /Library/Extensions/wdavkext.kext
```
- The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
+ The banner should disappear from the Defender application, and ```mdatp health``` should now report that real-time protection is both enabled and available:
```bash
- mdatp --health
+ mdatp health
```
```Output
...
- realTimeProtectionAvailable : true
- realTimeProtectionEnabled : true
+ real_time_protection_enabled : true
+ real_time_protection_available : true
...
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index 96b85255e0..cbfb2f15f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -43,13 +43,13 @@ The following steps can be used to troubleshoot and mitigate these issues:
- From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**.
- 
+ 
- From the Terminal. For security purposes, this operation requires elevation.
- ```bash
- mdatp --config realTimeProtectionEnabled false
- ```
+ ```bash
+ mdatp config real-time-protection --value disabled
+ ```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
index 3e8f336502..3a5f837ab4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -45,7 +45,7 @@ These steps assume you already have Defender for Endpoint running on your device
- Your device must be in the **Insider Fast update channel**. You can check the update channel by using the following command:
```bash
- mdatp --health releaseRing
+ mdatp health --field release_ring
```
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
@@ -66,8 +66,9 @@ Follow the deployment steps that correspond to your environment and your preferr
1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process.
-You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device.
-For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run.
+ You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device.
+
+ For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run.
> [!IMPORTANT]
> You must close and reopen the **System Preferences** > **Security & Privacy** window between subsequent approvals. Otherwise, macOS will not display the next approval.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 617e8532aa..55c92067b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -30,6 +30,14 @@ ms.technology: mde
> [!IMPORTANT]
> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
+## 101.19.48
+
+> [!NOTE]
+> The old command-line tool syntax has been deprecated with this release. For information on the new syntax, see [Resources](mac-resources.md#configuring-from-the-command-line).
+
+- Added a new command-line switch to disable the network extension: `mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint for Mac
+- Performance improvements & bug fixes
+
## 101.19.21
- Bug fixes
@@ -165,7 +173,7 @@ ms.technology: mde
- Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine
- Added a new switch to the command-line utility for testing the connectivity with the backend service
```bash
- mdatp --connectivity-test
+ mdatp connectivity test
```
- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index aaf741920d..477cebbeb7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -45,6 +45,7 @@ Method|Return Type |Description
[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
+[Find machines by tag](find-machines-by-tag.md) | [machine](machine.md) collection | Find machines by [Tag](machine-tags.md).
[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the [value of a device](tvm-assign-device-value.md).
@@ -57,17 +58,19 @@ computerDnsName | String | [machine](machine.md) fully qualified name.
firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint.
lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours.
osPlatform | String | Operating system platform.
+osProcessor | String | Operating system processor.
version | String | Operating system Version.
osBuild | Nullable long | Operating system build number.
lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet.
-healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
+healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown".
rbacGroupName | String | Machine group Name.
-rbacGroupId | Int | Machine group unique ID.
riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.
+ipAddresses | IpAddress collection | Set of ***IpAddress*** objects. See [Get machines API](get-machines.md).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
index 2cb0d3548e..efb39aa306 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
@@ -18,7 +18,7 @@ ms.collection:
- M365-security-compliance
- m365solution-scenario
ms.topic: conceptual
-ms.date: 09/22/2020
+ms.date: 01/26/2021
ms.reviewer: chventou
---
@@ -43,3 +43,6 @@ The following table lists various tools/methods you can use, with links to learn
|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
+## See also
+
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
index bf07f58bcb..d98440f9bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -142,7 +142,7 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 61c7fe0660..9766c422da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -132,7 +132,7 @@ The output from this command should be similar to the following:
Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:
```bash
-mdatp --connectivity-test
+mdatp connectivity test
```
## How to update Microsoft Defender for Endpoint for Mac
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 7d4ff91ed4..f7623205a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -199,14 +199,12 @@ When Microsoft Defender Antivirus is not the active antimalware in your organiza
If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
-If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
+If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
> [!NOTE]
> Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
-For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-
## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 7fd98bd981..29ed5acfbf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -45,13 +45,13 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
## Requirements
-Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection.
+Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection.
-Windows 10 version | Microsoft Defender Antivirus
--|-
-Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled
+| Windows 10 version | Microsoft Defender Antivirus |
+|:---|:---|
+| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled |
-After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints.
+After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints.
- .smartscreen.microsoft.com
- .smartscreen-prod.microsoft.com
@@ -79,11 +79,11 @@ You can review the Windows event log to see events that are created when network
3. This will create a custom view that filters to only show the following events related to network protection:
- Event ID | Description
- -|-
- 5007 | Event when settings are changed
- 1125 | Event when network protection fires in audit mode
- 1126 | Event when network protection fires in block mode
+ | Event ID | Description |
+ |:---|:---|
+ | 5007 | Event when settings are changed |
+ | 1125 | Event when network protection fires in audit mode |
+ | 1126 | Event when network protection fires in block mode |
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index 8eef870362..df8552d5a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -87,9 +87,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
-Content-type: application/json
+```
+
+```json
{
"Comment": "Offboard machine by automation"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 8bf4aa0e07..bb6315accb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -83,9 +83,13 @@ Review the following details to verify minimum system requirements:
- Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
- - Manually install the agent using setup
+ - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**
- - [Install the agent using command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script)
+ - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line).
+ - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
+
+ > [!NOTE]
+ > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index 237c0e1501..f019e3a9d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -33,7 +33,7 @@ ms.technology: mde
## API description
Submits or Updates new [Indicator](ti-indicator.md) entity.
-
CIDR notation for IPs is supported.
+
CIDR notation for IPs is not supported.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -89,9 +89,11 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/indicators
-Content-type: application/json
+```
+
+```json
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index 035be361f5..49d143d897 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -1,6 +1,6 @@
---
title: Pull Microsoft Defender for Endpoint detections using REST API
-description: Learn how call an Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API.
+description: Learn how to call a Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API.
keywords: detections, pull detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -67,7 +67,7 @@ Use the following method in the Microsoft Defender for Endpoint API to pull dete
## Get an access token
Before creating calls to the endpoint, you'll need to get an access token.
-You'll use the access token to access the protected resource, which are detections in Microsoft Defender for Endpoint.
+You'll use the access token to access the protected resource, which is detections in Microsoft Defender for Endpoint.
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
@@ -84,10 +84,10 @@ The response will include an access token and expiry information.
```json
{
"token_type": "Bearer",
- "expires_in": "3599",
- "ext_expires_in": "0",
- "expires_on": "1488720683",
- "not_before": "1488720683",
+ "expires_in": 3599,
+ "ext_expires_in": 0,
+ "expires_on": 1488720683,
+ "not_before": 1488720683,
"resource": "https://graph.windows.net",
"access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
}
@@ -115,7 +115,7 @@ Name | Value| Description
:---|:---|:---
sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time.
-ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
+ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
Example: `ago=PT10M` will pull alerts received in the last 10 minutes.
limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
machinegroups | string | Specifies device groups to pull alerts from.
**NOTE**: When not specified, alerts from all device groups will be retrieved.
Example:
```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single device tag from the registry.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
index fb99be0444..a78424ca79 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
@@ -83,14 +83,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution
-Content-type: application/json
+```
+
+```json
{
"Comment": "Restrict code execution due to alert 1234"
}
```
-- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md).
-
+- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 88fddcc27b..1f52029bfe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -35,10 +35,10 @@ ms.technology: mde
1. You can only run a query on data from the last 30 days.
2. The results will include a maximum of 100,000 rows.
3. The number of executions is limited per tenant:
- - API calls: Up to 15 calls per minute
- - Execution time: 10 minutes of running time every hour and 4 hours of running time a day
+ - API calls: Up to 45 calls per minute.
+ - Execution time: 10 minutes of running time every hour and 3 hours of running time a day.
4. The maximal execution time of a single request is 10 minutes.
-5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed.
+5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
@@ -82,9 +82,11 @@ Request
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
-Content-type: application/json
+```
+
+```json
{
"Query":"DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
index dda698fd60..68a10a5e99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
@@ -91,12 +91,14 @@ If successful, this method returns 201, Created response code and _MachineAction
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
-Content-type: application/json
+```
+
+```json
{
"Comment": "Check machine for viruses due to alert 3212",
- “ScanType”: “Full”
+ "ScanType": "Full"
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
index 6f1fe23a4a..66e0dfcd99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
@@ -73,12 +73,28 @@ Content-Type | string | application/json. **Required**.
## Request body
-```json
-{
- "DeviceValue": "{device value}"
-}
-```
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+DeviceValue | Enum | Device value. Allowed values are: 'Normal', 'Low' and 'High'. **Required**.
## Response
If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
+
+## Example
+
+**Request**
+
+Here is an example of a request that adds machine tag.
+
+```http
+POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue
+```
+
+```json
+{
+ "DeviceValue" : "High"
+}
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
index 26a77dc157..6ab096b9f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
@@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
-Content-type: application/json
+```
+
+```json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
deleted file mode 100644
index 111a228fa4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Supported Microsoft Defender Advanced Threat Protection response APIs
-description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls.
-keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Supported Microsoft Defender for Endpoint query APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink)
-
-Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls.
-
-## In this section
-Topic | Description
-:---|:---
-Collect investigation package | Run this API to collect an investigation package from a device.
-Isolate device | Run this API to isolate a device from the network.
-Unisolate device | Remove a device from isolation.
-Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
-Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated.
-Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
-Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.
-Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage.
-Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus.
-Get package SAS URI | Run this API to get a URI that allows downloading an investigation package.
-Get MachineAction object | Run this API to get MachineAction object.
-Get MachineActions collection | Run this to get MachineAction collection.
-Get FileActions collection | Run this API to get FileActions collection.
-Get FileMachineAction object | Run this API to get FileMachineAction object.
-Get FileMachineActions collection | Run this API to get FileMachineAction collection.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
index 639bbd689d..6b6dd2a9cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
@@ -138,7 +138,7 @@ Microsoft Defender Antivirus can run alongside your existing endpoint protection
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index 8648a57da9..da69f9acd3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -117,7 +117,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
index 3ab66598fc..75b6243eea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
@@ -33,6 +33,9 @@ Event timeline is a risk news feed that helps you interpret how risk is introduc
Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
+>[!TIP]
+>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
+
## Navigate to the Event timeline page
There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md):
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
index 8d8758f2ff..1eb4f26891 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
@@ -36,7 +36,8 @@ ms.technology: mde
Method|Return Type |Description
:---|:---|:---
[List Indicators](get-ti-indicators-collection.md) | [Indicator](ti-indicator.md) Collection | List [Indicator](ti-indicator.md) entities.
-[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity.
+[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submit or update [Indicator](ti-indicator.md) entity.
+[Import Indicators](import-ti-indicators.md) | [Indicator](ti-indicator.md) Collection | Submit or update [Indicators](ti-indicator.md) entities.
[Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index 8a626f4670..c25e934d20 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -29,9 +29,9 @@ ms.technology: mde
When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as:
-- A rule blocks a file, process, or performs some other action that it should not (false positive)
+- A rule blocks a file, process, or performs some other action that it shouldn't (false positive)
-- A rule does not work as described, or does not block a file or process that it should (false negative)
+- A rule doesn't work as described, or doesn't block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
@@ -53,7 +53,7 @@ Attack surface reduction rules will only work on devices with the following cond
- [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
-- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.
@@ -61,7 +61,7 @@ If these prerequisites have all been met, proceed to the next step to test the r
You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
-Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
+Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
@@ -69,19 +69,19 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct
3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
-If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
+If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled.
Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
-If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
+If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
-1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
+1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
-2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
+2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
## Add exclusions for a false positive
-If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
+If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md).
@@ -95,12 +95,12 @@ Use the [Windows Defender Security Intelligence web-based submission form](https
## Collect diagnostic data for file submissions
-When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
```console
- cd c:\program files\windows defender
+ cd "c:\program files\windows defender"
```
2. Run this command to generate the diagnostic logs:
@@ -109,7 +109,7 @@ When you report a problem with attack surface reduction rules, you are asked to
mpcmdrun -getfiles
```
-3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
+3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index 4bfdccfe50..05563e45c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: dansimp
ms.author: dansimp
-ms.date: 03/27/2019
+ms.date: 01/26/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
@@ -24,14 +24,13 @@ ms.technology: mde
**Applies to:**
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-* IT administrators
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- IT administrators
When you use [Network protection](network-protection.md) you may encounter issues, such as:
-* Network protection blocks a website that is safe (false positive)
-* Network protection fails to block a suspicious or known malicious website (false negative)
+- Network protection blocks a website that is safe (false positive)
+- Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
@@ -45,11 +44,11 @@ There are four steps to troubleshooting these problems:
Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
-> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
-> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
-> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
-> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher.
+> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
+> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
+> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
+> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
## Use audit mode
@@ -61,9 +60,9 @@ You can enable network protection in audit mode and then visit a website that we
Set-MpPreference -EnableNetworkProtection AuditMode
```
-1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
+2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
If network protection is not blocking a connection that you are expecting it should block, enable the feature.
@@ -75,6 +74,8 @@ You can enable network protection in audit mode and then visit a website that we
If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
+See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives).
+
## Exclude website from network protection scope
To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
@@ -85,20 +86,21 @@ When you report a problem with network protection, you are asked to collect and
1. Open an elevated command prompt and change to the Windows Defender directory:
- ```PowerShell
+ ```console
cd c:\program files\windows defender
```
-1. Run this command to generate the diagnostic logs:
+2. Run this command to generate the diagnostic logs:
- ```PowerShell
+ ```console
mpcmdrun -getfiles
```
-1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-* [Network protection](network-protection.md)
-* [Evaluate network protection](evaluate-network-protection.md)
-* [Enable network protection](enable-network-protection.md)
+- [Network protection](network-protection.md)
+- [Evaluate network protection](evaluate-network-protection.md)
+- [Enable network protection](enable-network-protection.md)
+- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 5ec3a45841..dfa4d609a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -34,6 +34,9 @@ Cybersecurity weaknesses identified in your organization are mapped to actionabl
Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
+>[!TIP]
+>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
+
## How it works
Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
@@ -105,7 +108,7 @@ From the flyout, you can choose any of the following options:
### Investigate changes in device exposure or impact
-If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating.
+If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating.
1. Select the recommendation and **Open software page**
2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 5a407a7cb6..30820fa2ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -38,9 +38,9 @@ Before you begin, ensure that you meet the following operating system or platfor
Operating system | Security assessment support
:---|:---
Windows 7 | Operating System (OS) vulnerabilities
-Windows 8.1 | Not supported
-Windows 10 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows 8.1 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment |
+Windows 10, versions 1607-1703 | Operating System (OS) vulnerabilities
+Windows 10, version 1709 or later |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 28fb4d19b3..dc46a51f0e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -36,12 +36,8 @@ The **Weaknesses** page lists the software vulnerabilities your devices are expo
>[!NOTE]
>If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management.
->[!IMPORTANT]
->To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+>[!TIP]
+>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
## Navigate to the Weaknesses page
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
index 2ddc0fa5f4..9d41281585 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
@@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
-Content-type: application/json
+```
+
+```json
{
"Comment": "Unisolate machine since it was clean and validated"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
index c8b9276441..41934f0380 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
@@ -82,9 +82,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution
-Content-type: application/json
+```
+
+```json
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index 4f6423b15e..a19d0d51e1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -91,10 +91,11 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in
Here is an example of the request.
-```
+```http
PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442
-Content-Type: application/json
+```
+```json
{
"status": "Resolved",
"assignedTo": "secop2@contoso.com",
@@ -102,4 +103,4 @@ Content-Type: application/json
"determination": "Malware",
"comment": "Resolve my alert and assign to secop2"
}
-```
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index 1564652fc4..2fcb052cc9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -33,7 +33,7 @@ Web content filtering is part of [Web protection](web-protection-overview.md) ca
Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.
-Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section.
+Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave and Opera). For more information about browser support, see the prerequisites section.
Summarizing the benefits:
@@ -43,7 +43,7 @@ Summarizing the benefits:
## User experience
-The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
+The blocking experience for 3rd party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
For a more user-friendly in-browser experience, consider using Microsoft Edge.
@@ -55,11 +55,11 @@ Before trying out this feature, make sure you have the following requirements:
- Access to Microsoft Defender Security Center portal
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
-If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
+If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled.
## Data handling
-We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
+We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers.
## Turn on web content filtering
@@ -79,7 +79,7 @@ To add a new policy:
2. Specify a name.
3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.
-5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices.
+5. Review the summary and save the policy. The policy refresh may take up to 2 hours to apply to your selected devices.
Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
@@ -139,7 +139,7 @@ Use the time range filter at the top left of the page to select a time period. Y
### Limitations and known issues in this preview
-- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
+- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported 3rd party browsers.
- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index fd8ba1f7f9..509869f9e5 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -34,7 +34,6 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 1903 (May 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- - Windows 10 Version 1709 (Fall Creators Update)
- Windows 10 Version 1607 (Anniversary Update)
- Windows 10 Version 1507
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 9ac1afcf08..5efa422cb9 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -70,6 +70,7 @@ The following table links to each security policy setting and provides the const
| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
+| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege|
| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
@@ -79,6 +80,7 @@ The following table links to each security policy setting and provides the const
| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+
## Related topics