deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-25 03:37:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 7210: 4/17 AM Publish

Browse Source
This commit is contained in:
Alma Jenks 2018-04-17 17:37:27 +00:00
commit 6d6514bf0a
202 changed files with 2755 additions and 1154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
.openpublishing.redirection.json
View File

@ -13099,6 +13099,39 @@
"source_path": "windows/deployment/windows-10-auto-pilot.md", "source_path": "windows/deployment/windows-10-auto-pilot.md",
"redirect_url": "/windows/deployment/windows-autopilot/windows-10-autopilot", "redirect_url": "/windows/deployment/windows-autopilot/windows-10-autopilot",
"redirect_document_id": true "redirect_document_id": true
} },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
] ]
} }

4
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: nickbrower author: nickbrower
ms.date: 04/06/2018 ms.date: 04/11/2018
--- ---
# What's new in MDM enrollment and management # What's new in MDM enrollment and management
@ -1170,6 +1170,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>KioskBrowser/BlockedUrlExceptions</li> <li>KioskBrowser/BlockedUrlExceptions</li>
<li>KioskBrowser/BlockedUrls</li> <li>KioskBrowser/BlockedUrls</li>
<li>KioskBrowser/DefaultURL</li> <li>KioskBrowser/DefaultURL</li>
<li>KioskBrowser/EnableEndSessionButton</li>
<li>KioskBrowser/EnableHomeButton</li> <li>KioskBrowser/EnableHomeButton</li>
<li>KioskBrowser/EnableNavigationButtons</li> <li>KioskBrowser/EnableNavigationButtons</li>
<li>KioskBrowser/RestartOnIdleTime</li> <li>KioskBrowser/RestartOnIdleTime</li>
@ -1657,6 +1658,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p> <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
<ul> <ul>
<li>Bluetooth/AllowPromptedProximalConnections</li> <li>Bluetooth/AllowPromptedProximalConnections</li>
<li>KioskBrowser/EnableEndSessionButton</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li> <li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li> <li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li> <li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>

5
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1950,7 +1950,10 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-kioskbrowser.md#kioskbrowser-defaulturl" id="kioskbrowser-defaulturl">KioskBrowser/DefaultURL</a> <a href="./policy-csp-kioskbrowser.md#kioskbrowser-defaulturl" id="kioskbrowser-defaulturl">KioskBrowser/DefaultURL</a>
</dd> </dd>
<dd> <dd>
<a href="./policy-csp-kioskbrowser.md#kioskbrowser-enablehomebutton" id="kioskbrowser-enablehomebutton">KioskBrowser/EnableHomeButton</a> <a href="policy-csp-kioskbrowser.md#kioskbrowser-enableendsessionbutton" id="kioskbrowser-enableendsessionbutton">KioskBrowser/EnableEndSessionButton</a>
</dd>
<dd>
<a href="policy-csp-kioskbrowser.md#kioskbrowser-enablehomebutton" id="kioskbrowser-enablehomebutton">KioskBrowser/EnableHomeButton</a>
</dd> </dd>
<dd> <dd>
<a href="./policy-csp-kioskbrowser.md#kioskbrowser-enablenavigationbuttons" id="kioskbrowser-enablenavigationbuttons">KioskBrowser/EnableNavigationButtons</a> <a href="./policy-csp-kioskbrowser.md#kioskbrowser-enablenavigationbuttons" id="kioskbrowser-enablenavigationbuttons">KioskBrowser/EnableNavigationButtons</a>

63
windows/client-management/mdm/policy-csp-kioskbrowser.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: nickbrower author: nickbrower
ms.date: 04/06/2018 ms.date: 04/11/2018
--- ---
# Policy CSP - KioskBrowser # Policy CSP - KioskBrowser
@ -32,6 +32,9 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
<dd> <dd>
<a href="#kioskbrowser-defaulturl">KioskBrowser/DefaultURL</a> <a href="#kioskbrowser-defaulturl">KioskBrowser/DefaultURL</a>
</dd> </dd>
<dd>
<a href="#kioskbrowser-enableendsessionbutton">KioskBrowser/EnableEndSessionButton</a>
</dd>
<dd> <dd>
<a href="#kioskbrowser-enablehomebutton">KioskBrowser/EnableHomeButton</a> <a href="#kioskbrowser-enablehomebutton">KioskBrowser/EnableHomeButton</a>
</dd> </dd>
@ -76,7 +79,6 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
[Scope](./policy-configuration-service-provider.md#policy-scope): [Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] > [!div class = "checklist"]
> * User
> * Device > * Device
<hr/> <hr/>
@ -123,7 +125,6 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
[Scope](./policy-configuration-service-provider.md#policy-scope): [Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] > [!div class = "checklist"]
> * User
> * Device > * Device
<hr/> <hr/>
@ -170,7 +171,6 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
[Scope](./policy-configuration-service-provider.md#policy-scope): [Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] > [!div class = "checklist"]
> * User
> * Device > * Device
<hr/> <hr/>
@ -187,6 +187,58 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
<hr/> <hr/>
<!--Policy-->
<a href="" id="kioskbrowser-enableendsessionbutton"></a>**KioskBrowser/EnableEndSessionButton**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Enables kiosk browser's end session button. When the policy is enabled, the kiosk browser enables a button to reset the browser by navigating back to the default URL and clearing the browsing data (cache, cookies, etc). When the user clicks on the button, the app will prompt the user for confirmation to end the session.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="kioskbrowser-enablehomebutton"></a>**KioskBrowser/EnableHomeButton** <a href="" id="kioskbrowser-enablehomebutton"></a>**KioskBrowser/EnableHomeButton**
@ -217,7 +269,6 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
[Scope](./policy-configuration-service-provider.md#policy-scope): [Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] > [!div class = "checklist"]
> * User
> * Device > * Device
<hr/> <hr/>
@ -264,7 +315,6 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
[Scope](./policy-configuration-service-provider.md#policy-scope): [Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] > [!div class = "checklist"]
> * User
> * Device > * Device
<hr/> <hr/>
@ -311,7 +361,6 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but
[Scope](./policy-configuration-service-provider.md#policy-scope): [Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] > [!div class = "checklist"]
> * User
> * Device > * Device
<hr/> <hr/>

2
windows/client-management/mdm/policy-csp-taskscheduler.md
View File

@ -65,7 +65,7 @@ ms.date: 03/12/2018
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Added in Windows 10, version 1803. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. Added in Windows 10, version 1803. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Disabled.
<!--/Description--> <!--/Description-->
<!--/Policy--> <!--/Policy-->

77
windows/security/threat-protection/TOC.md
View File

@ -23,24 +23,25 @@
#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) #### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) #### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) #### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) ### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) #### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) ##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune)
##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) ##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) #### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) #### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
#### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) #### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) ### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) #### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md) #### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
#### [View the Secure score dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md) #### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
#### [View the Threat analytics dashboard](windows-defender-atp\threat-analytics-windows-defender-advanced-threat-protection.md) #### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
###Investigate and remediate threats ###Investigate and remediate threats
####Alerts queue ####Alerts queue
@ -53,6 +54,9 @@
##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) ##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md) ##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
####Machines list ####Machines list
##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) ##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) ##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
@ -84,6 +88,11 @@
####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) ####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
#### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
###API and SIEM support ###API and SIEM support
#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md) #### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) ##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
@ -172,20 +181,38 @@
##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) ##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) #### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) ### [Configure Windows Defender ATP Settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
#### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
#### [Enable advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) ####General
#### [Enable preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md) ##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
#### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) ##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) ##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) ##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
####Permissions
##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
####APIs
##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
####Rules
##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
####Machine management
##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
### [Configure Windows Defender ATP time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) ### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) #### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) ### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)

4
windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.localizationpriority: high ms.localizationpriority: high
author: brianlic-msft author: brianlic-msft
ms.date: 02/13/2018 ms.date: 04/17/2018
--- ---
# Steps to Deploy Windows Defender Application Control # Steps to Deploy Windows Defender Application Control
@ -60,6 +60,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- rcsi.exe - rcsi.exe
- system.management.automation.dll - system.management.automation.dll
- windbg.exe - windbg.exe
- wmic.exe
<sup>[1]</sup>A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. <sup>[1]</sup>A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
@ -77,6 +78,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Oddvar Moe |@Oddvarmoe| |Oddvar Moe |@Oddvarmoe|
|Alex Ionescu | @aionescu| |Alex Ionescu | @aionescu|
|Lee Christensen|@tifkin_| |Lee Christensen|@tifkin_|
|Vladas Bulavas | Kaspersky Lab |
<br /> <br />

2
windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
View File

@ -52,7 +52,7 @@ Read the following blogposts for detailed protection stories involving cloud-pro
## Get cloud-delivered protection ## Get cloud-delivered protection
Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies. Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
>[!TIP] >[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.

2
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
View File

@ -22,7 +22,7 @@ ms.date: 04/17/2018
Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network. This library of documentation is for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md).

53
windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Turn on advanced features in Windows Defender ATP title: Configure advanced features in Windows Defender ATP
description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection. description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection.
keywords: advanced features, preferences setup, block file keywords: advanced features, settings, block file
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -10,10 +10,10 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 10/16/2017 ms.date: 04/17/2018
--- ---
# Turn on advanced features in Windows Defender ATP # Configure advanced features in Windows Defender ATP
**Applies to:** **Applies to:**
@ -23,7 +23,7 @@ ms.date: 10/16/2017
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
@ -31,6 +31,9 @@ Depending on the Microsoft security products that you use, some advanced feature
Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
## Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md).
## Block file ## Block file
This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled. This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
@ -47,22 +50,50 @@ For more information, see [Investigate a user account](investigate-user-windows-
## Skype for Business integration ## Skype for Business integration
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
## Azure Advanced Threat Protection integration
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
### Enable the Windows Defender ATP integration from the Azure ATP portal
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
2. Click **Create a workspace** or use your primary workspace.
3. Toggle the Integration setting to **On** and click **Save**.
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
## Office 365 Threat Intelligence connection ## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
## Microsoft Intune connection
This feature is only available if you have an active Microsoft Intune (Intune) license.
When you enable this feature, you'll be able to share Windows Defender ATP device information to Intune and enhance policy enforcement.
>[!NOTE]
>You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature.
## Enable advanced features ## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**. 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**. 3. Click **Save preferences**.
## Related topics ## Related topics
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) - [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) - [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

96
windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Advanced hunting best practices in Windows Defender ATP
description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data.
keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/17/2018
---
# Advanced hunting query best practices Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Performance best practices
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Use 'has' keyword over 'contains' when looking for full tokens.
- Use looking in specific column rather than using full text search across all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
## Query tips and pitfalls
### Unique Process IDs
Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
To address this issue, Windows Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime)
The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB) - possibly scanning for file shares.
Example query:
```
NetworkCommunicationEvents
| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
| where RemoteIPCount > 10
```
The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID.
### Using command line queries
Command lines may vary - when applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task.
For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.
To create more durable queries using command lines, we recommended the following guidelines:
- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
- Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
```
// Non-durable query - do not use
ProcessCreationEvents
| where ProcessCommandLine == "net stop MpsSvc"
| limit 10
// Better query - filters on filename, does case-insensitive matches
ProcessCreationEvents
| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc"
// Best query also ignores quotes
ProcessCreationEvents
| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe")
| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)

107
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,107 @@
---
title: Advanced hunting reference in Windows Defender ATP
description: Learn about Advanced hunting table reference such as column name, data type, and description
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/17/2018
---
# Advanced hunting reference in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
## Advanced hunting table reference
When you run a query using Advanced hunting, a table with columns is returned as a result.
Use the following table to understand what the columns represent, its data type, and their description.
| Column name | Data type | Description
:---|:--- |:---
| AccountDomain | string | Domain of the account. |
| AccountName | string | User name of the account. |
| AccountSid | string | Security Identifier (SID) of the account. |
| ActionType | string | Type of activity that triggered the event. |
| AdditionalFields | string | Additional information about the event in JSON array format. |
| AlertId | string | Unique identifier for the alert. |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine. |
| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. |
| EventTime | datetime | Date and time when the event was recorded. |
| EventType | string | Table where the record is stored. |
| FileName | string | Name of the file that the recorded action was applied to. |
| FileOriginIp | string | IP address where the file was downloaded from. |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. |
| FileOriginUrl | string | URL where the file was downloaded from. |
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. |
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. |
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. |
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. |
| LocalIP | string | IP address assigned to the local machine used during communication. |
| LocalPort | int | TCP port on the local machine used during communication. |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. |
| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br>
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MachineId | string | Unique identifier for the machine in the service. |
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. |
| OSArchitecture | string | Architecture of the operating system running on the machine. |
| OSBuild | string | Build version of the operating system running on the machine. |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. |
| PreviousRegistryValueData | string | Original data of the registry value before it was modified. |
| PreviousRegistryValueName | string | Original name of the registry value before it was modified. |
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. |
| ProcessCommandline | string | Command line used to create the new process. |
| ProcessCreationTime | datetime | Date and time the process was created. |
| ProcessId | int | Process ID (PID) of the newly created process. |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. |
| RegistryKey | string | Registry key that the recorded action was applied to. |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. |
| RemoteIP | string | IP address that was being connected to. |
| RemotePort | int | TCP port on the remote device that was being connected to. |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ReportIndex | long | Event identifier that is unique among the same event type. |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
## Related topic
- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)

164
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,164 @@
---
title: Query data using Advanced hunting in Windows Defender ATP
description: Learn about Advanced hunting in Windows Defender ATP and how to query ATP data.
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/17/2018
---
# Query data using Advanced hunting in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting allows you to proactively hunt for possible threats across your organization using a powerful search and query tool. Take advantage of the following capabilities:
- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
![Image of Advanced hunting window](images/atp-advanced-hunting.png)
## Use advanced hunting to query data
A typical query starts with a table name followed by a series of operators separated by **|**.
In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed.
![Image of Windows Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png)
First, we define a time filter to review only records from the previous seven days.
We then add a filter on the _FileName_ to contain only instances of _powershell.exe_.
Afterwards, we add a filter on the _ProcessCommandLine_
Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
### Use operators
The query language is very powerful and has a lot of available operators, some of them are -
- **where** - Filter a table to the subset of rows that satisfy a predicate.
- **summarize** - Produce a table that aggregates the content of the input table.
- **join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table.
- **count** - Return the number of records in the input record set.
- **top** - Return the first N records sorted by the specified columns.
- **limit** - Return up to the specified number of rows.
- **project** - Select the columns to include, rename or drop, and insert new computed columns.
- **extend** - Create calculated columns and append them to the result set.
- **makeset** - Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group
- **find** - Find rows that match a predicate across a set of tables.
To see a live example of these operators, run them as part of the **Get started** section.
## Access query language documentation
For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
## Use exposed tables in Advanced hunting
The following tables are exposed as part of Advanced hunting:
- **AlertEvents** - Stores alerts related information
- **MachineInfo** - Stores machines properties
- **ProcessCreationEvents** - Stores process creation events
- **NetworkCommunicationEvents** - Stores network communication events
- **FileCreationEvents** - Stores file creation, modification, and rename events
- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events
- **LogonEvents** - Stores login events
- **ImageLoadEvents** - Stores load dll events
- **MiscEvents** - Stores several types of events, including Windows Defender blocks (Windows Defender Antivirus, Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall), process injection events, access to LSASS processes, and others.
These tables include data from the last 30 days.
## Use shared queries
Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities.
![Image of shared queries](images/atp-shared-queries.png)
You can save, edit, update, or delete queries.
### Save a query
You can create or modify a query and save it as your own query or share it with users who are in the same tenant.
1. Create or modify a query.
2. Click the **Save query** drop-down button and select **Save as**.
3. Enter a name for the query.
![Image of saving a query](images/advanced-hunting-save-query.png)
4. Select the folder where you'd like to save the query.
- Shared queries - Allows other users in the tenant to access the query
- My query - Accessible only to the user who saved the query
5. Click **Save**.
### Update a query
These steps guide you on modifying and overwriting an existing query.
1. Edit an existing query.
2. Click the **Save**.
### Delete a query
1. Right-click on a query you want to delete.
![Image of delete query](images/atp-delete-query.png)
2. Select **Delete** and confirm that you want to delete the query.
## Result set capabilities in Advanced hunting
The result set has several capabilities to provide you with effective investigation, including:
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
![Image of Windows Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
## Filter results in Advanced hunting
In Advanced hunting, you can use the advanced filter on the output result set of the query.
The filters provide an overview of the result set where
each column has it's own section and shows the distinct values that appear in the column and their prevalence.
You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**.
![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
The filter selections will resolve as an additional query term and the results will be updated accordingly.
## Public Advanced Hunting query GitHub repository
Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
## Related topic
- [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)

40
windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 03/12/2018 ms.date: 04/17/2018
--- ---
# View and organize the Windows Defender Advanced Threat Protection Alerts queue # View and organize the Windows Defender Advanced Threat Protection Alerts queue
@ -23,11 +23,11 @@ ms.date: 03/12/2018
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on. The **Alerts queue** shows a list of alerts that were flagged from machines in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
Alerts are organized in queues by their workflow status or assignment: Alerts are organized in queues by their workflow status or assignment:
@ -35,14 +35,13 @@ Alerts are organized in queues by their workflow status or assignment:
- **In progress** - **In progress**
- **Resolved** - **Resolved**
- **Assigned to me** - **Assigned to me**
- **Suppression rules**
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane. To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
> [!NOTE] > [!NOTE]
> By default, alerts in the queues are sorted from newest to oldest. > By default, alerts in the queues are sorted from newest to oldest.
![Image of alerts queue](images/atp-alertsq2.png) ![Image of alerts queue](images/atp-new-alerts-list.png)
## Sort, filter, and group the alerts list ## Sort, filter, and group the alerts list
You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order. You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order.
@ -64,12 +63,11 @@ You can sort and filter the alerts using the available filters or clicking on a
Alert severity | Description Alert severity | Description
:---|:--- :---|:---
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints. High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines.
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization. Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of. Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
#### Understanding alert severity #### Understanding alert severity
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes. It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes.
@ -92,7 +90,8 @@ So, for example:
- Others - Others
>[!NOTE] >[!NOTE]
>The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender Antivirus as the default real-time protection antimalware product. >The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
### View ### View
- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. - **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
@ -100,6 +99,22 @@ So, for example:
The grouped view allows for efficient alert triage and management. The grouped view allows for efficient alert triage and management.
## Alert queue columns
You can click on the first column to open up the **Alert management pane**. You can also select view the machine and user panes by selecting the icons beside the links.
Alerts are listed with the following columns:
- **Title** - Displays a brief description of the alert and its category.
- **Machine and user** - Displays the machine name and user associated with the alert. You view the machine or user details pane or pivot the actual details page.
- **Severity** - Displays the severity of the alert. Possible values are informational, low, medium, or high.
- **Last activity** - Date and time for when the last action was taken on the alert.
- **Time in queue** - Length of time the alert has been in the alerts queue.
- **Detection source** - Displays the detection source of the alert.
- **Status** - Current status of the alert. Possible values include new, in progress, or resolved.
- **Investigation state** - Reflects the number of related investigations and it's current state.
- **Assigned to** - Displays who is addressing the alert.
- **Manage icon** - You can click on the icon to bring up the alert management pane where you can manage and see details about the alert.
### Use the Alert management pane ### Use the Alert management pane
Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert. Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
@ -134,14 +149,11 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together
![Alerts queue bulk edit](images/alerts-q-bulk.png) ![Alerts queue bulk edit](images/alerts-q-bulk.png)
## Related topics ## Related topics
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [View the Windows Defender Advanced Threat Protection Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

35
windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 10/16/2017 ms.date: 04/17/2018
--- ---
# Assign user access to the Windows Defender ATP portal # Assign user access to the Windows Defender ATP portal
@ -24,18 +24,33 @@ ms.date: 10/16/2017
- Office 365 - Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles. Windows Defender ATP supports two ways to manage permissions:
## Assign user access using Azure PowerShell - **Basic permissions management**: Set permissions to either full access or read-only.
- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
> [!NOTE]
>If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
>- Users with full access (Security Administrators) are automatically assigned the default **Global administrator** role, which also has full access. Only global administrators can manage permissions using RBAC.
>- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
>- After switching to RBAC, you will not be able to switch back to using basic permissions management.
## Use basic permissions management
Refer to the instructions below to use basic permissions management. You can use either Azure PowerShell or the Azure Portal.
For granular control over permissions, [switch to role-based access control](rbac-windows-defender-advanced-threat-protection.md).
### Assign user access using Azure PowerShell
You can assign users with one of the following levels of permissions: You can assign users with one of the following levels of permissions:
- Full access (Read and Write) - Full access (Read and Write)
- Read only access - Read-only access
### Before you begin #### Before you begin
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br> - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE] > [!NOTE]
@ -43,8 +58,6 @@ You can assign users with one of the following levels of permissions:
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). - Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
**Full access** <br> **Full access** <br>
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles. Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
@ -67,7 +80,7 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
## Assign user access using the Azure portal ### Assign user access using the Azure portal
1. Go to the [Azure portal](https://portal.azure.com). 1. Go to the [Azure portal](https://portal.azure.com).
@ -86,4 +99,8 @@ For more information see, [Manage Azure AD group and role membership](https://te
![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)
## Related topic
- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)

63
windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Experience Windows Defender ATP through simulated attacks
description: Run the provided attack scenario simulations to experience how Windows Defender ATP can detect, investigate, and respond to breaches.
keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: high
ms.date: 28/02/2018
---
# Experience Windows Defender ATP through simulated attacks
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.
## Before you begin
To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md).
Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
## Run a simulation
1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
- **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
- **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
- **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
2. Download and read the corresponding walkthrough document provided with your selected scenario.
3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test machine but it's not mandatory.
4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
>[!NOTE]
>Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
## Related topics
- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)

266
windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,266 @@
---
title: Use Automated investigations to investigate and remediate threats
description: View the list of automated investigations, its status, detection source and other details.
keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/17/2018
---
# Use Automated investigations to investigate and remediate threats
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
To address this challenge, Windows Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
## Understand the Automated investigation flow
### How the Automated investigation starts
Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) an Automated investigation starts.
The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
### Details of an Automated investigation
As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Threats**, **Entities**, and **Log** tabs.
In the **Alerts** tab, you'll see the alert that started the investigation.
The **Machines** tab shows where the alert was seen.
The **Threats** tab shows the entities that were found to be malicious during the investigation.
During an Automated investigation, details about each analyzed entity is categorized in the **Entities** tab. You'll be able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious, or clean.
The **Log** tab reflects the chronological detailed view of all the investigation actions taken on the alert.
If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions.
### How an Automated investigation expands its scope
While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
### How threats are remediated
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automaticlly remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
### How an Automated investigation is completed
When the Automated investigation completes its analysis, and all pending actions are resolved, an investigation is considered complete. It's important to understand that an investigation is only considered complete if there are no pending actions on it.
## Manage Automated investigations
By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
![Image of Auto investigations page](images/atp-auto-investigations-list.png)
**Filters**</br>
You can use the following operations to customize the list of Automated investigations displayed:
**Triggering alert**</br>
The alert the initiated the Automated investigation.
**Status**</br>
An Automated investigation can be in one of the following status:
Status | Description
:---|:---
| No threats found | No malicious entities found during the investigation.
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Action required | Remediation actions require review and approval. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped due to <reason>. |
| Terminated by user | A user stopped the investigation before it could complete. |
| Not applicable | Automated investigations do not apply to this alert type. |
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
| Automated investigation not applicable to alert type | Automated investigation does not apply to this alert type. |
| Automated investigation does not support OS | Machine is running an OS that is not supported by Automated investigation. |
| Automated investigation unavailable for preexisting alert | Automated investigation does not apply to alerts that were generated before it was deployed. |
| Automated investigation unavailable for suppressed alert | Automated investigation does not apply to suppressed alerts. |
**Detection source**</br>
Source of the alert that initiated the Automated investigation.
**Threat**</br>
The category of threat detected during the Automated investigation.
**Tags**</br>
Filter using manually added tags that capture the context of an Automated investigation.
**Machines**</br>
You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
**Machine groups**</br>
Apply this filter to see specific machine groups that you might have created.
**Comments**</br>
Select between filtering the list between Automated investigations that have comments and those that don't.
## Analyze Automated investigations
You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
![Image of investigation details window](images/atp-analyze-auto-ir.png)
The progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
- Green ring - shows the running time portion of the investigation
![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png)
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
### Investigation page
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
You'll also have access to the following sections that help you see details of the investigation with finer granularity:
- Investigation graph
- Alerts
- Machines
- Threats
- Entities
- Log
- Pending actions
>[!NOTE]
>The Pending actions tab is only displayed if there are actual pending actions.
- Pending actions history
>[!NOTE]
>The Pending actions history tab is only displayed when an investigation is complete.
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
### Investigation graph
The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
### Alerts
Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
### Threats
Shows details related to threats associated with this investigation.
### Entities
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
### Log
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
### Pending actions history
This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
## Pending actions
If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image.
![Image of pending actions](images\atp-pending-actions-notification.png)
When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed.
![Image of pending actions page](images/atp-pending-actions-list.png)
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
Pending actions are grouped together in the following tabs:
- Quarantine file
- Remove persistence
- Stop process
- Expand pivot
- Quarantine service
>[!NOTE]
>The tab will only appear if there are pending actions for that category.
### Approve or reject an action
You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
![Image of list of pending actions](images/atp-approve-reject-action.png)
Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
![Image of pending action selected](images/atp-pending-actions-file.png)
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
![Image of multiple investigations selected](images/atp-pending-actions-multiple.png)
## Related topic
- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)

4
windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 10/16/2017 ms.date: 04/17/2018
--- ---
# Check sensor health state in Windows Defender ATP # Check sensor health state in Windows Defender ATP
@ -27,7 +27,7 @@ ms.date: 10/16/2017
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
The sensor health tile provides information on the individual endpoints ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. The sensor health tile provides information on the individual machines ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
![Windows Defender ATP sensor health tile](images/atp-portal-sensor.png) ![Windows Defender ATP sensor health tile](images/atp-portal-sensor.png)

2
windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 11/30/2017 ms.date: 04/17/2018
--- ---

4
windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -34,7 +34,7 @@ Configuring the HP ArcSight Connector tool requires several configuration files
This section guides you in getting the necessary information to set and use the required configuration files correctly. This section guides you in getting the necessary information to set and use the required configuration files correctly.
- Make sure you have enabled the SIEM integration feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). - Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values: - Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
- OAuth 2.0 Token refresh URL - OAuth 2.0 Token refresh URL
@ -105,7 +105,7 @@ The following steps assume that you have completed all the required steps in [Be
<td>Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.</td> <td>Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.</td>
<tr> <tr>
<td>Refresh Token</td> <td>Refresh Token</td>
<td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM integration preferences setup** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field. <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
</td> </td>
</tr> </tr>
</tr> </tr>

63
windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure email notifications in Windows Defender ATP title: Configure alert notifications in Windows Defender ATP
description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions. description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions.
keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -10,10 +10,10 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 10/16/2017 ms.date: 04/17/2018
--- ---
# Configure email notifications in Windows Defender ATP # Configure alert notifications in Windows Defender ATP
**Applies to:** **Applies to:**
@ -23,7 +23,7 @@ ms.date: 10/16/2017
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
@ -38,29 +38,44 @@ You can also add or remove recipients of the email notification. New recipients
The email notification includes basic information about the alert and a link to the portal where you can do further investigation. The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
## Set up email notifications for alerts ## Create rules for alert notifications
The email notifications feature is turned off by default. Turn it on to start receiving email notifications. You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients.
1. On the navigation pane, select **Preferences setup** > **Email Notifications**.
2. Toggle the setting between **On** and **Off**.
3. Select the alert severity level that youd like your recipients to receive:
- **High** Select this level to send notifications for high-severity alerts.
- **Medium** Select this level to send notifications for medium-severity alerts.
- **Low** - Select this level to send notifications for low-severity alerts.
- **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of.
4. In **Email recipients to notify on new alerts**, type the email address then select the + sign.
5. Click **Save preferences** when youve completed adding all the recipients.
Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email. 1. In the navigation pane, select **Settings** > **General** > **Alert notifications**.
2. Click **Add notification rule**.
3. Specify the General information:
- **Rule name**
- **Machines** - Choose whether to notify recipients for all alerts on all machines or on selected machine group. If you choose to only send on a selected machine group, make sure that the machine group has been created. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
- **Alert severity** - Choose the alert severity level
4. Click **Next**.
5. Enter the recipient's email address then click **Add recipient**. You can add multiple email addresses.
6. Check that email recipients are able to receive the email notifications by selecting **Send test email**.
7. Click **Save notification rule**.
Here's an example email notification: Here's an example email notification:
![Image of example email notification](images/atp-example-email-notification.png) ![Image of example email notification](images/atp-example-email-notification.png)
## Remove email recipients ## Edit a notification rule
1. Select the notification rule you'd like to edit.
1. Select the trash bin icon beside the email address youd like to remove. 2. Update the General and Recipient tab information.
2. Click **Save preferences**.
3. CLick **Save notification rule**.
## Delete notification rule
1. Select the notification rule you'd like to delete.
2. Click **Delete**.
## Troubleshoot email notifications for alerts ## Troubleshoot email notifications for alerts
This section lists various issues that you may encounter when using email notifications for alerts. This section lists various issues that you may encounter when using email notifications for alerts.
@ -74,9 +89,7 @@ This section lists various issues that you may encounter when using email notifi
3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications. 3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.
## Related topics ## Related topics
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) - [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) - [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) - [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

76
windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Windows Defender ATP endpoints using Group Policy title: Onboard Windows 10 machines using Group Policy to Windows Defender ATP
description: Use Group Policy to deploy the configuration package on endpoints so that they are onboarded to the service. description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service.
keywords: configure endpoints using group policy, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, group policy keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, group policy
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -10,10 +10,10 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 11/06/2017 ms.date: 04/17/2018
--- ---
# Configure endpoints using Group Policy # Onboard Windows 10 machines using Group Policy
**Applies to:** **Applies to:**
@ -25,7 +25,7 @@ ms.date: 11/06/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
@ -33,14 +33,18 @@ ms.date: 11/06/2017
> [!NOTE] > [!NOTE]
> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
## Onboard endpoints ## Onboard machines using Group Policy
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
a. Click **Endpoint management** > **Clients** on the **Navigation pane**. b. Select Windows 10 as the operating system.
c. In the **Deployment method** field, select **Group policy**.
d. Click **Download package** and save the .zip file.
b. Select **Group Policy**, click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -57,10 +61,10 @@ ms.date: 11/06/2017
9. Click **OK** and close any open GPMC windows. 9. Click **OK** and close any open GPMC windows.
>[!TIP] >[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). > After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
## Additional Windows Defender ATP configuration settings ## Additional Windows Defender ATP configuration settings
For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. For each machine, you can state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
@ -80,7 +84,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
5. Click **Windows components** and then **Windows Defender ATP**. 5. Click **Windows components** and then **Windows Defender ATP**.
6. Choose to enable or disable sample sharing from your endpoints. 6. Choose to enable or disable sample sharing from your machines.
>[!NOTE] >[!NOTE]
> If you don't set a value, the default value is to enable sample collection. > If you don't set a value, the default value is to enable sample collection.
@ -93,7 +97,7 @@ In cases where high-value assets or machines are at high risk, you can configure
> [!NOTE] > [!NOTE]
> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. > Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal.
The configuration is set through the following registry key entry: The configuration is set through the following registry key entry:
@ -105,26 +109,28 @@ Value: Normal or Expedite
Where:<br> Where:<br>
Key type is a string. <br> Key type is a string. <br>
Possible values are: Possible values are:
- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance - Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance
- Expedite - sets reporting frequency from the endpoint to Expedite mode - Expedite - sets reporting frequency from the machine to Expedite mode
The default value in case the registry key doesnt exist is Normal. The default value in case the registry key doesnt exist is Normal.
### Offboard endpoints ## Offboard machines using Group Policy
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE] > [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
b. Click the **Endpoint offboarding** section. b. Select Windows 10 as the operating system.
c. In the **Deployment method** field, select **Group policy**.
c. Select **Group Policy**, click **Download package** and save the .zip file. d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -144,22 +150,22 @@ For security reasons, the package used to offboard endpoints will expire 30 days
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor endpoint configuration ## Monitor machine configuration
With Group Policy there isnt an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. With Group Policy there isnt an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor endpoints using the portal ## Monitor machines using the portal
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). 1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
2. Click **Machines list**. 2. Click **Machines list**.
3. Verify that endpoints are appearing. 3. Verify that machines are appearing.
> [!NOTE] > [!NOTE]
> It can take several days for endpoints to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. > It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Related topics ## Related topics
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Run a detection test on a newly onboarded Windows Defender ATP machines](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

72
windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure endpoints using Mobile Device Management tools title: Onboard Windows 10 machines using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service. description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service.
keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, mdm
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -10,10 +10,10 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 11/06/2017 ms.date: 04/17/2018
--- ---
# Configure endpoints using Mobile Device Management tools # Onboard Windows 10 machines using Mobile Device Management tools
**Applies to:** **Applies to:**
@ -23,11 +23,9 @@ ms.date: 11/06/2017
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. You can use mobile device management (MDM) solutions to configure machines. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
@ -36,20 +34,21 @@ If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwi
For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune). For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
## Configure endpoints using Microsoft Intune ## Onboard machines using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher ### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Select **Endpoint management** > **Clients** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. b. Select Windows 10 as the operating system.
![Endpoint onboarding](images/atp-mdm-onboarding-package.png) c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
d. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
@ -103,16 +102,17 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
![Image of deployment](images/atp-intune-save-deployment.png) ![Image of deployment](images/atp-intune-save-deployment.png)
### Onboard and monitor machines using the classic Intune console
### Onboard and monitor endpoints using the classic Intune console
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Select **Endpoint management** > **Clients** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. b. Select Windows 10 as the operating system.
![Endpoint onboarding](images/atp-mdm-onboarding-package.png) c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
d. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
@ -155,9 +155,9 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png) ![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png)
When the policy is deployed and is propagated, endpoints will be shown in the **Machines list**. When the policy is deployed and is propagated, machines will be shown in the **Machines list**.
You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: You can use the following onboarding policies to deploy configuration settings on machines. These policies can be sub-categorized to:
- Onboarding - Onboarding
- Health Status for onboarded machines - Health Status for onboarded machines
- Configuration for onboarded machines - Configuration for onboarded machines
@ -179,31 +179,29 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De
>[!TIP] >[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). > After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
## Offboard and monitor machines using Mobile Device Management tools
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
### Offboard and monitor endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE] > [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
b. Click the **Endpoint offboarding** section. b. Select Windows 10 as the operating system.
c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file. c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
d. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to: Offboarding - Use the offboarding policies to remove configuration settings on machines. These policies can be sub-categorized to:
- Offboarding - Offboarding
- Health Status for offboarded machines - Health Status for offboarded machines
- Configuration for offboarded machines - Configuration for offboarded machines
@ -221,9 +219,9 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
## Related topics ## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

37
windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure non-Windows endpoints in Windows Defender ATP title: Onboard non-Windows machines to the Windows Defender ATP service
description: Configure non-Winodws endpoints so that they can send sensor data to the Windows Defender ATP service. description: Configure non-Winodws machines so that they can send sensor data to the Windows Defender ATP service.
keywords: configure endpoints non-Windows endpoints, macos, linux, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -9,10 +9,10 @@ ms.sitesec: library
ms.pagetype: security ms.pagetype: security
author: mjcaparas author: mjcaparas
localizationpriority: high localizationpriority: high
ms.date: 12/12/2017 ms.date: 04/17/2018
--- ---
# Configure non-Windows endpoints # Onboard non-Windows machines
**Applies to:** **Applies to:**
@ -28,20 +28,21 @@ Windows Defender ATP provides a centralized security operations experience for W
You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work.
## Onboard non-Windows endpoints You'll need to take the following steps to onboard non-Windows machines:
You'll need to take the following steps to oboard non-Windows endpoints:
1. Turn on third-party integration 1. Turn on third-party integration
2. Run a detection test 2. Run a detection test
### Turn on third-party integration ### Turn on third-party integration
1. In Windows Defender Security Center portal, select **Endpoint management** > **Clients** > **Non-Windows**. Make sure the third-party solution is listed. 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. Make sure the third-party solution is listed.
2. Toggle the third-party provider switch button to turn on the third-party solution integration. 2. Select Mac and Linux as the operating system.
3. Click **Generate access token** button and then **Copy**. 3. Turn on the third-party solution integration.
4. Youll need to copy and paste the token to the third-party solution youre using. The implementation may vary depending on the solution. 4. Click **Generate access token** button and then **Copy**.
5. Youll need to copy and paste the token to the third-party solution youre using. The implementation may vary depending on the solution.
>[!WARNING] >[!WARNING]
@ -52,21 +53,21 @@ Create an EICAR test file by saving the string displayed on the portal in an emp
The file should trigger a detection and a corresponding alert on Windows Defender ATP. The file should trigger a detection and a corresponding alert on Windows Defender ATP.
### Offboard non-Windows endpoints ## Offboard non-Windows machines
To effectively offboard the endpoints from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow.
1. Follow the third-party documentation to opt-out on the third-party service side. 1. Follow the third-party documentation to opt-out on the third-party service side.
2. In Windows Defender Security Center portal, select **Endpoint management**> **Non-Windows**. 2. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
3. Toggle the third-party provider switch button to turn stop diagnostic data from endpoints. 3. Turn off the third-party solution integration.
>[!WARNING] >[!WARNING]
>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on endpoints. >If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on machines.
## Related topics ## Related topics
- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) - [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

81
windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure endpoints using System Center Configuration Manager title: Onboard Windows 10 machines using System Center Configuration Manager
description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service. description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines, sccm
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -10,10 +10,10 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 11/06/2017 ms.date: 04/17/2018
--- ---
# Configure endpoints using System Center Configuration Manager # Onboard Windows 10 machines using System Center Configuration Manager
**Applies to:** **Applies to:**
@ -24,33 +24,38 @@ ms.date: 11/06/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
- System Center 2012 Configuration Manager or later versions - System Center 2012 Configuration Manager or later versions
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
<span id="sccm1606"/> <span id="sccm1606"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1606 ## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on machines. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
>[!NOTE] >[!NOTE]
> If youre using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version. > If youre using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
<span id="sccm1602"/> <span id="sccm1602"/>
## Configure endpoints using System Center Configuration Manager earlier versions ## Onboard Windows 10 machines using System Center Configuration Manager earlier versions
You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions: You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions:
- System Center 2012 Configuration Manager - System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager - System Center 2012 R2 Configuration Manager
- System Center Configuration Manager (current branch), version 1511 - System Center Configuration Manager (current branch), version 1511
- System Center Configuration Manager (current branch), version 1602 - System Center Configuration Manager (current branch), version 1602
### Onboard endpoints ### Onboard machines using System Center Configuration Manager
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
b. Select Windows 10 as the operating system.
b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
d. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
@ -62,12 +67,12 @@ You can use existing System Center Configuration Manager functionality to create
> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. > Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
>[!TIP] >[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
### Configure sample collection settings ### Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint. You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint. This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint.
The configuration is set through the following registry key entry: The configuration is set through the following registry key entry:
@ -80,8 +85,8 @@ Value: 0 or 1
Where:<br> Where:<br>
Key type is a D-WORD. <br> Key type is a D-WORD. <br>
Possible values are: Possible values are:
- 0 - doesn't allow sample sharing from this endpoint - 0 - doesn't allow sample sharing from this machine
- 1 - allows sharing of all file types from this endpoint - 1 - allows sharing of all file types from this machine
The default value in case the registry key doesnt exist is 1. The default value in case the registry key doesnt exist is 1.
@ -95,7 +100,7 @@ In cases where high-value assets or machines are at high risk, you can configure
> [!NOTE] > [!NOTE]
> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. > Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal.
The configuration is set through the following registry key entry: The configuration is set through the following registry key entry:
@ -107,26 +112,28 @@ Value: Normal or Expedite
Where:<br> Where:<br>
Key type is a string. <br> Key type is a string. <br>
Possible values are: Possible values are:
- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance - Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance
- Expedite - sets reporting frequency from the endpoint to Expedite mode - Expedite - sets reporting frequency from the machine to Expedite mode
The default value in case the registry key doesnt exist is Normal. The default value in case the registry key doesnt exist is Normal.
### Offboard endpoints ## Offboard machines using System Center Configuration Manager
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE] > [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
b. Click the **Endpoint offboarding** section. b. Select Windows 10 as the operating system.
c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
d. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
@ -138,12 +145,12 @@ For security reasons, the package used to offboard endpoints will expire 30 days
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
### Monitor endpoint configuration ### Monitor machine configuration
Monitoring with SCCM consists of two parts: Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network.
2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service). 2. Checking that the machines are compliant with the Windows Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service).
**To confirm the configuration package has been correctly deployed:** **To confirm the configuration package has been correctly deployed:**
@ -155,11 +162,11 @@ Monitoring with SCCM consists of two parts:
4. Review the status indicators under **Completion Statistics** and **Content Status**. 4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
![SCCM showing successful deployment with no errors](images/sccm-deployment.png) ![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
**Check that the endpoints are compliant with the Windows Defender ATP service:**<br> **Check that the machines are compliant with the Windows Defender ATP service:**<br>
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines. This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
@ -173,9 +180,9 @@ Value: “1”
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
## Related topics ## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

75
windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Windows Defender ATP endpoints using a local script title: Onboard Windows 10 machines using a local script
description: Use a local script to deploy the configuration package on endpoints so that they are onboarded to the service. description: Use a local script to deploy the configuration package on machines so that they are onboarded to the service.
keywords: configure endpoints using a local script, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -10,10 +10,10 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 11/06/2017 ms.date: 04/17/2018
--- ---
# Configure endpoints using a local script # Onboard Windows 10 machines using a local script
**Applies to:** **Applies to:**
@ -23,26 +23,31 @@ ms.date: 11/06/2017
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. You can also manually onboard individual machines to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network.
> [!NOTE] > [!NOTE]
> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). > The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
## Onboard endpoints ## Onboard machines
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
b. Select **Local Script**, click **Download package** and save the .zip file. b. Select Windows 10 as the operating system.
c. In the **Deployment method** field, select **Local Script**.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. d. Click **Download package** and save the .zip file.
3. Open an elevated command-line prompt on the endpoint and run the script:
2. Extract the contents of the configuration package to a location on the machine you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
a. Go to **Start** and type **cmd**. a. Go to **Start** and type **cmd**.
@ -54,16 +59,16 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
5. Press the **Enter** key or click **OK**. 5. Press the **Enter** key or click **OK**.
For information on how you can manually validate that the endpoint is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
>[!TIP] >[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Configure sample collection settings ## Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file. You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file.
The configuration is set through the following registry key entry: The configuration is set through the following registry key entry:
@ -75,29 +80,31 @@ Value: 0 or 1
Where:<br> Where:<br>
Name type is a D-WORD. <br> Name type is a D-WORD. <br>
Possible values are: Possible values are:
- 0 - doesn't allow sample sharing from this endpoint - 0 - doesn't allow sample sharing from this machine
- 1 - allows sharing of all file types from this endpoint - 1 - allows sharing of all file types from this machine
The default value in case the registry key doesnt exist is 1. The default value in case the registry key doesnt exist is 1.
## Offboard endpoints ## Offboard machines using a local script
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE] > [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
b. Click the **Endpoint offboarding** section. b. Select Windows 10 as the operating system.
c. Select **Group Policy**, click **Download package** and save the .zip file. c. In the **Deployment method** field, select **Local Script**.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. d. Click **Download package** and save the .zip file.
3. Open an elevated command-line prompt on the endpoint and run the script: 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
a. Go to **Start** and type **cmd**. a. Go to **Start** and type **cmd**.
@ -113,23 +120,23 @@ For security reasons, the package used to offboard endpoints will expire 30 days
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor endpoint configuration ## Monitor machine configuration
You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running. You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment tools. Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor endpoints using the portal ### Monitor machines using the portal
1. Go to the Windows Defender ATP portal. 1. Go to the Windows Defender ATP portal.
2. Click **Machines list**. 2. Click **Machines list**.
3. Verify that endpoints are appearing. 3. Verify that machines are appearing.
## Related topics ## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

30
windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure non-persistent virtual desktop infrastructure (VDI) machines title: Onboard non-persistent virtual desktop infrastructure (VDI) machines
description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service. description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -10,15 +10,15 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 10/16/2017 ms.date: 04/17/2018
--- ---
# Configure non-persistent virtual desktop infrastructure (VDI) machines # Onboard non-persistent virtual desktop infrastructure (VDI) machines
**Applies to:** **Applies to:**
- Virtual desktop infrastructure (VDI) machines - Virtual desktop infrastructure (VDI) machines
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
@ -40,9 +40,13 @@ You can onboard VDI machines using a single entry or multiple entries for each m
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**. a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
b. Select **VDI onboarding scripts for non-persistent endpoints** then click **Download package** and save the .zip file. b. Select Windows 10 as the operating system.
c. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
d. Click **Download package** and save the .zip file.
2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`. 2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
@ -67,9 +71,13 @@ You can onboard VDI machines using a single entry or multiple entries for each m
6. Test your solution: 6. Test your solution:
a. Create a pool with one machine. a. Create a pool with one machine.
b. Logon to machine. b. Logon to machine.
c. Logoff from machine. c. Logoff from machine.
d. Logon to machine with another user. d. Logon to machine with another user.
e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.<br> e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.<br>
**For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal. **For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
@ -78,10 +86,10 @@ You can onboard VDI machines using a single entry or multiple entries for each m
8. Use the search function by entering the machine name and select **Machine** as search type. 8. Use the search function by entering the machine name and select **Machine** as search type.
## Related topics ## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

24
windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Windows Defender ATP client endpoints title: Onboard Windows 10 machines on Windows Defender ATP
description: Configure client endpoints so that they can send sensor data to the Windows Defender ATP sensor. description: Onboard Windows 10 machines so that they can send sensor data to the Windows Defender ATP sensor
keywords: configure client endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -10,10 +10,10 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 10/16/2017 ms.date: 04/17/2018
--- ---
# Configure Windows Defender ATP client endpoints # Onboard Windows 10 machines
**Applies to:** **Applies to:**
@ -23,9 +23,9 @@ ms.date: 10/16/2017
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization.
Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Windows Defender ATP supports the following deployment tools and methods: Windows Defender ATP supports the following deployment tools and methods:
@ -37,11 +37,11 @@ Windows Defender ATP supports the following deployment tools and methods:
## In this section ## In this section
Topic | Description Topic | Description
:---|:--- :---|:---
[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints. [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on machines.
[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints. [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on machines.
[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on endpoints. [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine.
[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints. [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines. [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)

10
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure endpoint proxy and Internet connection settings title: Configure machine proxy and Internet connection settings
description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ ms.date: 10/16/2017
--- ---
# Configure endpoint proxy and Internet connectivity settings # Configure machine proxy and Internet connectivity settings
**Applies to:** **Applies to:**
@ -39,7 +39,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Web Proxy Auto-discovery Protocol (WPAD) - Web Proxy Auto-discovery Protocol (WPAD)
> [!NOTE] > [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special endpoint configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
- Manual static proxy configuration: - Manual static proxy configuration:
@ -99,7 +99,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on. 1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on.
2. Extract the contents of WDATPConnectivityAnalyzer on the endpoint. 2. Extract the contents of WDATPConnectivityAnalyzer on the machine.
3. Open an elevated command-line: 3. Open an elevated command-line:
@ -135,5 +135,5 @@ If at least one of the connectivity options returns a (200) status, then the Win
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
## Related topics ## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

77
windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Windows Defender ATP server endpoints title: Onboard servers to the Windows Defender ATP service
description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor. description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor.
keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints keywords: onboard server, server, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -9,15 +9,16 @@ ms.sitesec: library
ms.pagetype: security ms.pagetype: security
author: mjcaparas author: mjcaparas
localizationpriority: high localizationpriority: high
ms.date: 04/04/2018 ms.date: 04/17/2018
--- ---
# Configure Windows Defender ATP server endpoints # Onboard servers to the Windows Defender ATP service
**Applies to:** **Applies to:**
- Windows Server 2012 R2 - Windows Server 2012 R2
- Windows Server 2016 - Windows Server 2016
- Windows Server, version 1803
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)] [!include[Prerelease information](prerelease.md)]
@ -29,8 +30,9 @@ Windows Defender ATP extends support to also include the Windows Server operatin
Windows Defender ATP supports the onboarding of the following servers: Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2012 R2 - Windows Server 2012 R2
- Windows Server 2016 - Windows Server 2016
- Windows Server, version 1803
## Onboard server endpoints ## Onboard Windows Server 2012 R2 and Windows Server 2016
To onboard your servers to Windows Defender ATP, youll need to: To onboard your servers to Windows Defender ATP, youll need to:
@ -38,16 +40,16 @@ To onboard your servers to Windows Defender ATP, youll need to:
- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
>[!TIP] >[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
### Turn on Server monitoring from the Windows Defender Security Center portal ### Turn on Server monitoring from the Windows Defender Security Center portal
1. In the navigation pane, select **Endpoint management** > **Servers**. 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
2. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. 2. Select Windows server 2012, 2012R2 and 2016 as the operating system.
![Image of server onboarding](images/atp-server-onboarding.png) 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
<span id="server-mma"/> <span id="server-mma"/>
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP ### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
@ -64,7 +66,8 @@ To onboard your servers to Windows Defender ATP, youll need to:
Once completed, you should see onboarded servers in the portal within an hour. Once completed, you should see onboarded servers in the portal within an hour.
<span id="server-proxy"/> <span id="server-proxy"/>
### Configure server endpoint proxy and Internet connectivity settings ### Configure server proxy and Internet connectivity settings
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
@ -79,21 +82,43 @@ Once completed, you should see onboarded servers in the portal within an hour.
| winatp-gw-neu.microsoft.com | 443 | | winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 | | winatp-gw-weu.microsoft.com | 443 |
## Onboard Windows Server, version 1803
Youll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
## Offboard server endpoints 1. Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
2. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
3. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Value: 1
b. Run the following PowerShell command to verify that the passive mode was configured:
```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
c. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
4. Run the following command to check if Windows Defender AV is installed:
```sc query Windefend```
If the result is The specified service does not exist as an installed service, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
## Offboard servers
You have two options to offboard servers from the service: You have two options to offboard servers from the service:
- Uninstall the MMA agent - Uninstall the MMA agent
- Remove the Windows Defender ATP workspace configuration - Remove the Windows Defender ATP workspace configuration
>[!NOTE]
>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
### Uninstall servers by uinstalling the MMA agent ### Uninstall servers by uinstalling the MMA agent
To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
>[!NOTE]
>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
### Remove the Windows Defender ATP workspace configuration ### Remove the Windows Defender ATP workspace configuration
To offboard the server, you can use either of the following methods: To offboard the server, you can use either of the following methods:
@ -110,11 +135,14 @@ To offboard the server, you can use either of the following methods:
#### Run a PowerShell command to remove the configuration #### Run a PowerShell command to remove the configuration
1. Get your workspace ID by going to **Endpoint management** > **Servers**: 1. Get your Workspace ID:
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
![Image of server onboarding](images/atp-server-onboarding-workspaceid.png)
2. Open an elevated PowerShell and run the following command. Use the workspace ID you obtained and replacing `WorkspaceID`: b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID:
![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
``` ```
# Load agent scripting object # Load agent scripting object
@ -124,11 +152,10 @@ To offboard the server, you can use either of the following methods:
# Reload the configuration and apply changes # Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration() $AgentCfg.ReloadConfiguration()
``` ```
## Related topics ## Related topics
- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) - [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

6
windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
View File

@ -23,11 +23,9 @@ ms.date: 10/16/2017
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Pull alerts using supported security information and events management (SIEM) tools ## Pull alerts using security information and events management (SIEM) tools
Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
@ -56,7 +54,7 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
Topic | Description Topic | Description
:---|:--- :---|:---
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools. [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.

4
windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -32,7 +32,7 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
## Before you begin ## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk. - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
- Make sure you have enabled the **SIEM integration** feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: - Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
- OAuth 2 Token refresh URL - OAuth 2 Token refresh URL
@ -105,7 +105,7 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
</tr> </tr>
<tr> <tr>
<td>Polling Interval</td> <td>Polling Interval</td>
<td>Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.</td> <td>Number of seconds that Splunk will ping the Windows Defender ATP machine. Accepted values are in seconds.</td>
</tr> </tr>
<tr> <tr>
<td>Set sourcetype</td> <td>Set sourcetype</td>

6
windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 03/27/2018 ms.date: 04/17/2018
--- ---
# Create custom alerts using the threat intelligence (TI) application program interface (API) # Create custom alerts using the threat intelligence (TI) application program interface (API)
@ -23,7 +23,7 @@ ms.date: 03/27/2018
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
@ -59,7 +59,7 @@ For this URL:
Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage). Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage).
## Request an access token from the token issuing endpoint ## Request an access token from the token issuing endpoint
Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Preferences settings** page and click the **Generate Token** button. However, if youd like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4). Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Settings** page and click the **Generate Token** button. However, if youd like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4).
For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow). For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow).

46
windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Update data retention settings for Windows Defender Advanced Threat Protection
description: Update data retention settings by selecting between 30 days to 180 days.
keywords: data, storage, settings, retention, update
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/17/2018
---
# Update data retention settings for Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update the data retention settings.
1. In the navigation pane, select **Settings** > **General** > **Data rention**.
2. Select the data retention duration from the drop-down list.
> [!NOTE]
> Other settings are not editable.
3. Click **Save preferences**.
## Related topics
- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac
## What data does Windows Defender ATP collect? ## What data does Windows Defender ATP collect?
Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes. Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).

8
windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 11/28/2017 ms.date: 04/17/2018
--- ---
# Windows Defender Antivirus compatibility with Windows Defender ATP # Windows Defender Antivirus compatibility with Windows Defender ATP
@ -33,12 +33,12 @@ The Windows Defender Advanced Threat Protection agent depends on Windows Defende
>[!IMPORTANT] >[!IMPORTANT]
>Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. >Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings.
You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options. The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).

8
windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 10/16/2017 ms.date: 04/17/2018
--- ---
# Enable the custom threat intelligence API in Windows Defender ATP # Enable the custom threat intelligence API in Windows Defender ATP
@ -23,13 +23,13 @@ ms.date: 10/16/2017
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
1. In the navigation pane, select **Preference Setup** > **Threat intel API**. 1. In the navigation pane, select **Settings** > **APIs** > **Threat intel**.
![Image of threat intel API menu](images/atp-threat-intel-api.png) ![Image of threat intel API menu](images/atp-threat-intel-api.png)
@ -47,7 +47,7 @@ Youll need to use the access token in the Authorization header when doing RES
## Related topics ## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)

46
windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Enable Secure Score in Windows Defender ATP
description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard.
keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/17/2018
---
# Enable Secure Score security controls
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
>[!NOTE]
>Changes might take up to a few hours to reflect on the dashboard.
1. In the navigation pane, select **Settings** > **General** > **Secure Score**.
![Image of Secure Score controls from Preferences setup menu](images/atp-enable-security-analytics.png)
2. Select the security control, then toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics
- [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
- [Update data retention settings for Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
- [Configure advanced features in Windows Defender ATP](/advanced-features-windows-defender-advanced-threat-protection.md)

49
windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
View File

@ -1,49 +0,0 @@
---
title: Enable Secure score security controls in Windows Defender ATP
description: Set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard.
keywords: secure score, baseline, calculation, score, secure score dashboard, dashboard, windows defender antivirus, av, exploit guard, application guard, smartscreen
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 03/12/2018
---
# Enable Secure score security controls
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
>[!NOTE]
>Changes might take up to a few hours to reflect on the dashboard.
1. In the navigation pane, select **Preferences setup** > **Secure score**.
![Image of Secure score controls from Preferences setup menu](images/atp-enable-security-analytics.png)
2. Select the security control, then toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics
- [View the Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

6
windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 11/21/2017 ms.date: 04/17/2018
--- ---
# Enable SIEM integration in Windows Defender ATP # Enable SIEM integration in Windows Defender ATP
@ -29,9 +29,9 @@ ms.date: 11/21/2017
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
1. In the navigation pane, select **Preferences setup** > **SIEM integration**. 1. In the navigation pane, select **Settings** > **APIs** > **SIEM**.
![Image of SIEM integration from Preferences setup menu](images/atp-siem-integration.png) ![Image of SIEM integration from Settings menu](images/atp-siem-integration.png)
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. 2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.

68
windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
--- ---
title: Review events and errors on endpoints with Event Viewer title: Review events and errors using Event Viewer
description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -10,11 +10,11 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 10/16/2017 ms.date: 04/17/2018
--- ---
# Review events and errors on endpoints with Event Viewer # Review events and errors using Event Viewer
**Applies to:** **Applies to:**
@ -25,14 +25,14 @@ ms.date: 10/16/2017
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual machines.
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints. For example, if machines are not appearing in the **Machines list**, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps.
For example, if endpoints are not appearing in the **Machines list**, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
> [!NOTE] > [!NOTE]
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service. > It can take several days for machines to begin reporting to the Windows Defender ATP service.
**Open Event Viewer and find the Windows Defender ATP service event log:** **Open Event Viewer and find the Windows Defender ATP service event log:**
@ -65,7 +65,7 @@ For example, if endpoints are not appearing in the **Machines list**, you might
<tr> <tr>
<td>2</td> <td>2</td>
<td>Windows Defender Advanced Threat Protection service shutdown.</td> <td>Windows Defender Advanced Threat Protection service shutdown.</td>
<td>Occurs when the endpoint is shut down or offboarded.</td> <td>Occurs when the machine is shut down or offboarded.</td>
<td>Normal operating notification; no action required.</td> <td>Normal operating notification; no action required.</td>
</tr> </tr>
<tr> <tr>
@ -91,17 +91,17 @@ The service could not contact the external processing servers at that URL.</td>
<tr> <tr>
<td>6</td> <td>6</td>
<td>Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td> <td>Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td> <td>The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>Onboarding must be run before starting the service.<br> <td>Onboarding must be run before starting the service.<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>7</td> <td>7</td>
<td>Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.</td> <td>Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.</td>
<td>Variable = detailed error description. The endpoint did not onboard correctly and will not be reporting to the portal.</td> <td>Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>8</td> <td>8</td>
@ -109,28 +109,28 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
<td>**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. <td>**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
</td> </td>
<td>**Onboarding:** No action required. <br><br> **Offboarding:** Reboot the system.<br> <td>**Onboarding:** No action required. <br><br> **Offboarding:** Reboot the system.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>9</td> <td>9</td>
<td>Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.</td> <td>Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.</td>
<td>**During onboarding:** The endpoint did not onboard correctly and will not be reporting to the portal. <br><br>**During offboarding:** Failed to change the service start type. The offboarding process continues. </td> <td>**During onboarding:** The machine did not onboard correctly and will not be reporting to the portal. <br><br>**During offboarding:** Failed to change the service start type. The offboarding process continues. </td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>10</td> <td>10</td>
<td>Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.</td> <td>Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td> <td>The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>11</td> <td>11</td>
<td>Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.</td> <td>Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.</td>
<td>The endpoint onboarded correctly.</td> <td>The machine onboarded correctly.</td>
<td>Normal operating notification; no action required.<br> <td>Normal operating notification; no action required.<br>
It may take several hours for the endpoint to appear in the portal.</td> It may take several hours for the machine to appear in the portal.</td>
</tr> </tr>
<tr> <tr>
<td>12</td> <td>12</td>
@ -157,7 +157,7 @@ The service could not contact the external processing servers at that URL.</td>
<td>An error occurred with the Windows telemetry service.</td> <td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled).<br> <td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>18</td> <td>18</td>
@ -181,25 +181,25 @@ If this error persists after a system restart, ensure all Windows updates have f
<tr> <tr>
<td>25</td> <td>25</td>
<td>Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.</td> <td>Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly. <td>The machine did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td> It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>26</td> <td>26</td>
<td>Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.</td> <td>Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly.<br> <td>The machine did not onboard correctly.<br>
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td> It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>27</td> <td>27</td>
<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.</td> <td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td> <td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).<br> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
Ensure real-time antimalware protection is running properly.</td> Ensure real-time antimalware protection is running properly.</td>
</tr> </tr>
<tr> <tr>
@ -208,14 +208,14 @@ Ensure real-time antimalware protection is running properly.</td>
<td>An error occurred with the Windows telemetry service.</td> <td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).<br> <td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>30</td> <td>30</td>
<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.</td> <td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td> <td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
Ensure real-time antimalware protection is running properly.</td> Ensure real-time antimalware protection is running properly.</td>
</tr> </tr>
<tr> <tr>
@ -233,9 +233,9 @@ Ensure real-time antimalware protection is running properly.</td>
<tr> <tr>
<td>33</td> <td>33</td>
<td>Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.</td> <td>Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.</td>
<td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br> <td>A unique identifier is used to represent each machine that is reporting to the portal.<br>
If the identifier does not persist, the same machine might appear twice in the portal.</td> If the identifier does not persist, the same machine might appear twice in the portal.</td>
<td>Check registry permissions on the endpoint to ensure the service can update the registry.</td> <td>Check registry permissions on the machine to ensure the service can update the registry.</td>
</tr> </tr>
<tr> <tr>
<td>34</td> <td>34</td>
@ -243,7 +243,7 @@ If the identifier does not persist, the same machine might appear twice in the p
<td>An error occurred with the Windows telemetry service.</td> <td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).<br> <td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr> </tr>
<tr> <tr>
<td>35</td> <td>35</td>
@ -337,6 +337,6 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
## Related topics ## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -152,8 +152,8 @@ This step will guide you in exploring the custom alert in the portal.
## Related topics ## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)

8
windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
View File

@ -54,7 +54,7 @@ This status indicates that there's limited communication between the machine and
The following suggested actions can help fix issues related to a misconfigured machine with impaired communications: The following suggested actions can help fix issues related to a misconfigured machine with impaired communications:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br> - [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#troubleshoot-onboarding-issues-on-the-machine)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br> - [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br>
@ -66,17 +66,17 @@ If you took corrective actions and the machine status is still misconfigured, [o
A misconfigured machine with status No sensor data has communication with the service but can only report partial sensor data. A misconfigured machine with status No sensor data has communication with the service but can only report partial sensor data.
Follow theses actions to correct known issues related to a misconfigured machine with status No sensor data: Follow theses actions to correct known issues related to a misconfigured machine with status No sensor data:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br> - [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#troubleshoot-onboarding-issues-on-the-machine)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br> - [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br>
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled)</br> - [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled)</br>
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)</br> - [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)</br>
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).

47
windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
View File

@ -1,47 +0,0 @@
---
title: Update general Windows Defender Advanced Threat Protection settings
description: Update your general Windows Defender Advanced Threat Protection settings such as data retention or industry after onboarding.
keywords: general settings, settings, update settings
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Update general Windows Defender ATP settings
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
1. In the navigation pane, select **Preferences setup** > **General**.
2. Modify settings such as data retention policy or the industry that best describes your organization.
> [!NOTE]
> Other settings are not editable.
3. Click **Save preferences**.
## Related topics
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

BIN
windows/security/threat-protection/windows-defender-atp/images/Failed.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 862 B

BIN
windows/security/threat-protection/windows-defender-atp/images/No threats found.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1018 B

BIN
windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/Pending.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 770 B

BIN
windows/security/threat-protection/windows-defender-atp/images/Remediated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/Running.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1011 B

BIN
windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 70 KiB

After

Width:  |  Height:  |  Size: 80 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-query.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-filter.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-set.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 122 KiB

After

Width:  |  Height:  |  Size: 128 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 434 KiB

After

Width:  |  Height:  |  Size: 398 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 85 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 85 KiB

After

Width:  |  Height:  |  Size: 101 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 133 KiB

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 89 KiB

After

Width:  |  Height:  |  Size: 87 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 83 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-analyze-auto-ir.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-approve-reject-action.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigation-pending.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 337 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 430 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-community-center.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 944 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access-numbered.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 83 KiB

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 177 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 165 KiB

After

Width:  |  Height:  |  Size: 180 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.1 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 58 KiB

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 228 KiB

After

Width:  |  Height:  |  Size: 138 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 127 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-image.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps-9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 62 KiB

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 577 KiB

After

Width:  |  Height:  |  Size: 97 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 111 KiB

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 181 KiB

After

Width:  |  Height:  |  Size: 183 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 106 KiB

After

Width:  |  Height:  |  Size: 89 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 112 KiB

After

Width:  |  Height:  |  Size: 100 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.5 KiB

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 165 KiB

After

Width:  |  Height:  |  Size: 116 KiB

Some files were not shown because too many files have changed in this diff Show More