From db00b0b0a7d8ede6d2a4c6e56bd512cc17cc9135 Mon Sep 17 00:00:00 2001 From: illfated Date: Tue, 19 May 2020 23:43:44 +0200 Subject: [PATCH 1/8] Onboard servers to MSDATP: add important note text Description: As requested in issue ticket #6757 (Add note about ASC Integration being disabled for Office 365 GCC customers), this PR contains the addition of the note text from the page Microsoft Defender Advanced Threat Protection with Azure Security Center, saying: "When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers." Thanks to Antoniha for requesting this important note addition. Changes proposed: - Add a third bullet point line containing the text quoted above - Modify the command "sc query Windefend" to use `sc.exe` - Remove end-of-line whitespace (blanks) throughout the page Ticket closure or reference: Closes #6757 --- .../configure-server-endpoints.md | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index a14525a0c9..cc9b6af753 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -13,7 +13,7 @@ ms.author: macapara ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article --- @@ -35,7 +35,7 @@ ms.topic: article Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. The service supports the onboarding of the following servers: -- Windows Server 2008 R2 SP1 +- Windows Server 2008 R2 SP1 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server (SAC) version 1803 and later @@ -57,11 +57,11 @@ There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 ### Option 1: Onboard servers through Microsoft Defender Security Center -You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. +You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - + - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598) - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) @@ -73,7 +73,7 @@ You'll need to take the following steps if you choose to onboard servers through - Turn on server monitoring from Microsoft Defender Security Center. - - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. + - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). @@ -82,10 +82,10 @@ You'll need to take the following steps if you choose to onboard servers through ### Configure and update System Center Endpoint Protection clients -Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting @@ -95,19 +95,19 @@ The following steps are required to enable this integration: 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. 2. Select Windows Server 2012 R2 and 2016 as the operating system. - + 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server: - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). @@ -116,7 +116,7 @@ Once completed, you should see onboarded servers in the portal within an hour. ### Configure server proxy and Internet connectivity settings - + - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). @@ -127,7 +127,7 @@ Once completed, you should see onboarded servers in the portal within an hour. 2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system. -3. Click **Onboard Servers in Azure Security Center**. +3. Click **Onboard Servers in Azure Security Center**. 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). @@ -140,16 +140,16 @@ To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Se Supported tools include: - Local script -- Group Policy +- Group Policy - Microsoft Endpoint Configuration Manager - System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 - VDI onboarding scripts for non-persistent machines For more information, see [Onboard Windows 10 machines](configure-endpoints.md). -Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). +1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). 2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly: @@ -165,12 +165,12 @@ Support for Windows Server, provide deeper insight into activities happening on ``` 1. Confirm that a recent event containing the passive mode event is found: - + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) 3. Run the following command to check if Windows Defender AV is installed: - ```sc query Windefend``` + ```sc.exe query Windefend``` If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). @@ -188,12 +188,12 @@ The following capabilities are included in this integration: - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach > [!IMPORTANT] -> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. +> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. > - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. +> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. - -## Offboard servers +## Offboard servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines. For other server versions, you have two options to offboard servers from the service: @@ -210,10 +210,10 @@ For more information, see [To disable an agent](https://docs.microsoft.com/azure ### Remove the Microsoft Defender ATP workspace configuration To offboard the server, you can use either of the following methods: -- Remove the Microsoft Defender ATP workspace configuration from the MMA agent +- Remove the Microsoft Defender ATP workspace configuration from the MMA agent - Run a PowerShell command to remove the configuration -#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent +#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent 1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. @@ -228,7 +228,7 @@ To offboard the server, you can use either of the following methods: 1. In the navigation pane, select **Settings** > **Onboarding**. 1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: - + ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: From 97e7afaf4e7ab71f415dd0d6f597db49a1945597 Mon Sep 17 00:00:00 2001 From: Kweku Ako-Adjei Date: Tue, 19 May 2020 17:22:26 -0700 Subject: [PATCH 2/8] Update cortana-at-work-policy-settings.md --- .../cortana-at-work/cortana-at-work-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 75c8fe36a1..1729809a44 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -15,7 +15,7 @@ manager: dansimp # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization >[!NOTE] ->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics. +>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics. |**Group policy** |**MDM policy** |**Description** | From ca7d8a26058fb0fc04e500b9f40c78e5ecdfa20a Mon Sep 17 00:00:00 2001 From: rogersoMS <44718379+rogersoMS@users.noreply.github.com> Date: Thu, 21 May 2020 01:00:13 +1000 Subject: [PATCH 3/8] Added note regarding partner removal process @mtniehaus & @greg-lindsay As per mizar - adding a note callout to let customers know they cannot remove a partner from MSfB. Manual removal is neccesary by sending email. --- windows/deployment/windows-autopilot/registration-auth.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md index cb93b03921..547b2f07ea 100644 --- a/windows/deployment/windows-autopilot/registration-auth.md +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -80,6 +80,10 @@ Each OEM has a unique link to provide to their respective customers, which the O ![Not global admin](images/csp7.png) 3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously. + > [!NOTE] + > Once this process has completed, it is not currently possible for an administrator to remove an OEM. To remove an OEM or revoke + their permissions, send a request to msoemops@microsoft.com + 4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process. > [!NOTE] From bd111da8a3cced5e81ad581224c9848213e23f19 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 20 May 2020 08:49:35 -0700 Subject: [PATCH 4/8] fix typo --- windows/deployment/windows-autopilot/bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md index 234ae17fcc..a33cb8d60e 100644 --- a/windows/deployment/windows-autopilot/bitlocker.md +++ b/windows/deployment/windows-autopilot/bitlocker.md @@ -39,7 +39,7 @@ An example of Microsoft Intune Windows Encryption settings is shown below. ![BitLocker encryption settings](images/bitlocker-encryption.png) -Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm. +Note that a device which is encrypted automatically will need to be decrypted prior to changing the encryption algorithm. The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable. From ac8c000b609729f1cf3eeef95477a5d9a9f92228 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 20 May 2020 08:57:01 -0700 Subject: [PATCH 5/8] add to preview --- .../threat-protection/microsoft-defender-atp/preview.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 2801e3fffd..8eb9582866 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -47,6 +47,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: +- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. + - [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates. - [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux. From 177860340644ebe74d0a02396f18f7878eab34ce Mon Sep 17 00:00:00 2001 From: Kweku Ako-Adjei Date: Wed, 20 May 2020 09:39:49 -0700 Subject: [PATCH 6/8] Cortana updates --- .../cortana-at-work/set-up-and-test-cortana-in-windows-10.md | 2 -- windows/configuration/cortana-at-work/test-scenario-6.md | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 70ec53174c..c1b71aa782 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -18,8 +18,6 @@ ms.author: dansimp - If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later. - **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](https://docs.microsoft.com/windows/configuration/stop-employees-from-using-microsoft-store). -INSERT SCREENSHOT 1 - ## Set up and configure the Bing Answers feature Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com. diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index a2e102027d..cd22204b99 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -24,7 +24,7 @@ Cortana automatically finds patterns in your email, suggesting reminders based t ## Use Cortana to create suggested reminders for you -1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](https://docs.microsoft.com/en-us/windows/configuration/cortana-at-work/cortana-at-work-o365). +1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-o365). 2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**. From 4564617d80c0f1de2c40ce06702a88f9837bcf7a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 May 2020 10:05:43 -0700 Subject: [PATCH 7/8] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ece83b3f5c..107a70bff1 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15533,7 +15533,7 @@ }, { "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction", "redirect_document_id": false }, { From c86469abac4112712d6f033feb86e5536794aa03 Mon Sep 17 00:00:00 2001 From: Sirkku Date: Wed, 20 May 2020 10:22:25 -0700 Subject: [PATCH 8/8] Update cortana-at-work-scenario-2.md --- .../configuration/cortana-at-work/cortana-at-work-scenario-2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index c541b4b620..55a3d754d6 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -20,7 +20,7 @@ manager: dansimp Cortana will respond with the information from Bing. -:::image type="content" source="../../media/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: +:::image type="content" source="../../../images/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: >[!NOTE] >This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file