From 6a0988c538d510dfb9206fa45efa0dfe07a30349 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 18:57:31 +0200 Subject: [PATCH 1/9] Update production-deployment.md Updating the Azure link + region names. --- .../production-deployment.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 700cdefdad..e159ac7939 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -235,15 +235,15 @@ If you network devices don't support the URLs listed in the prior section, you c Defender for Endpoint is built on Azure cloud, deployed in the following regions: -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ +- AzureCloud.eastus +- AzureCloud.eastus2 +- AzureCloud.westcentralus +- AzureCloud.northeurope +- AzureCloud.westeurope +- AzureCloud.uksouth +- AzureCloud.ukwest -You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). +You can find the Azure IP range on [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). > [!NOTE] > As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting. From 0d5061428d4cf41db999287f3ad24b65735cbc8f Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:07:07 +0200 Subject: [PATCH 2/9] Update production-deployment.md Acrolinx. --- .../production-deployment.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index e159ac7939..c889aafd8f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -1,6 +1,6 @@ --- -title: Set up Microsoft Defender ATP deployment -description: Learn how to setup the deployment for Microsoft Defender ATP +title: Set up Microsoft Defender for Endpoint deployment +description: Learn how to set up the deployment for Microsoft Defender for Endpoint keywords: deploy, setup, licensing validation, tenant configuration, network configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -47,7 +47,7 @@ In this deployment scenario, you'll be guided through the steps on: >[!NOTE] ->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender for Endpoint](onboard-configure.md). +>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but won't cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender for Endpoint](onboard-configure.md). ## Check license state @@ -59,7 +59,7 @@ Checking for the license state and whether it got properly provisioned, can be d 1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**. - On the screen, you will see all the provisioned licenses and their current **Status**. + On the screen, you'll see all the provisioned licenses and their current **Status**. ![Image of billing licenses](images/atp-billing-subscriptions.png) @@ -93,7 +93,7 @@ When accessing Microsoft Defender Security Center for the first time, a wizard t 4. Set up preferences. - **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU, or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation. + **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU, or UK. You can't change the location after this set up and Microsoft won't transfer the data from the specified geolocation. **Data retention** - The default is six months. @@ -109,7 +109,7 @@ When accessing Microsoft Defender Security Center for the first time, a wizard t ## Network configuration -If the organization does not require the endpoints to use a Proxy to access the +If the organization doesn't require the endpoints to use a Proxy to access the Internet, skip this section. The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to @@ -127,12 +127,12 @@ the following discovery methods: - Web Proxy Autodiscovery Protocol (WPAD) -If a Transparent proxy or WPAD has been implemented in the network topology, +If a Transparent proxy or WPAD has been implemented in the network topology, there is no need for special configuration settings. For more information on Microsoft Defender for Endpoint URL exclusions in the proxy, see the Appendix section in this document for the URLs allow list or on [Microsoft -Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). +Docs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). > [!NOTE] > For a detailed list of URLs that need to be allowed, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus). From efc0f56eceeae915f143a95938c9de2933c63742 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:17:24 +0200 Subject: [PATCH 3/9] Update production-deployment.md --- .../microsoft-defender-atp/production-deployment.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index c889aafd8f..6843a5298e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -130,12 +130,8 @@ the following discovery methods: If a Transparent proxy or WPAD has been implemented in the network topology, there is no need for special configuration settings. For more information on Microsoft Defender for Endpoint URL exclusions in the proxy, see the -Appendix section in this document for the URLs allow list or on -[Microsoft -Docs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). - -> [!NOTE] -> For a detailed list of URLs that need to be allowed, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus). +[Proxy Service URLs](production-deployment.md#proxy-service-urls) section in this document for the URLs allow list or on +[Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). **Manual static proxy configuration:** From bf4750b522b8cce3d89783192562243db56e8a0e Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:34:06 +0200 Subject: [PATCH 4/9] Update gov.md --- .../microsoft-defender-atp/gov.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index ad6e8b4bf1..985f1d4595 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -23,7 +23,7 @@ ms.technology: mde **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) -Microsoft Defender for Endpoint for US Government customers, built in the US Azure Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial. +Microsoft Defender for Endpoint for US Government customers, built in the Azure US Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial. This offering is available to GCC, GCC High, and DoD customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some differences in the availability of capabilities for this offering. @@ -124,6 +124,20 @@ For more information, see [Configure device proxy and Internet connectivity sett > > When filtering, look for the records labeled as "US Gov" and your specific cloud under the geography column. +### Service backend IP ranges + +If your network devices don't support DNS rules and you can't use the URLs listed in the spreadsheet above, use IP ranges instead. + +Defender for Endpoint for US Government customers is built in the Azure US Government environment, deployed in the following regions: + +- AzureCloud.usgovtexas +- AzureCloud.usgovvirginia + +You can find the Azure IP ranges in [Azure IP Ranges and Service Tags – US Government Cloud](https://www.microsoft.com/download/details.aspx?id=57063). + +> [!NOTE] +> As a cloud-based solution, the IP address ranges can change. It's recommended you move to a DNS resolving setting. +
## API @@ -138,7 +152,7 @@ SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https:/
## Feature parity with commercial -Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available we want to highlight. +Defender for Endpoint for US Government customers doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available we want to highlight. These are the known gaps as of March 2021: From 8e64878b239d79c2c073080752729eaa96b2c9b0 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:39:18 +0200 Subject: [PATCH 5/9] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 985f1d4595..3a35ff95fa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -126,7 +126,7 @@ For more information, see [Configure device proxy and Internet connectivity sett ### Service backend IP ranges -If your network devices don't support DNS rules and you can't use the URLs listed in the spreadsheet above, use IP ranges instead. +If your network devices don't support DNS-based rules, use IP ranges instead. Defender for Endpoint for US Government customers is built in the Azure US Government environment, deployed in the following regions: From 91b644f5abc8aa85b18d3a959deb756419897db7 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:44:16 +0200 Subject: [PATCH 6/9] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 3a35ff95fa..e4709b7cc2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -136,7 +136,7 @@ Defender for Endpoint for US Government customers is built in the Azure US Gover You can find the Azure IP ranges in [Azure IP Ranges and Service Tags – US Government Cloud](https://www.microsoft.com/download/details.aspx?id=57063). > [!NOTE] -> As a cloud-based solution, the IP address ranges can change. It's recommended you move to a DNS resolving setting. +> As a cloud-based solution, the IP address ranges can change. It's recommended you move to a DNS-based rules.
From 3fa9f998c30481dea4158f7b93cc8120a582a2b0 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:47:20 +0200 Subject: [PATCH 7/9] Update production-deployment.md --- .../microsoft-defender-atp/production-deployment.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 6843a5298e..3abbeec81e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -225,11 +225,11 @@ The following downloadable spreadsheet lists the services and their associated U |![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)
| Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

[Download the spreadsheet here.](https://download.microsoft.com/download/8/a/5/8a51eee5-cd02-431c-9d78-a58b7f77c070/mde-urls.xlsx) -### Microsoft Defender for Endpoint service backend IP range +### Microsoft Defender for Endpoint service backend IP ranges -If you network devices don't support the URLs listed in the prior section, you can use the following information. +If your network devices don't support DNS-based rules, use IP ranges instead. -Defender for Endpoint is built on Azure cloud, deployed in the following regions: +Defender for Endpoint is built in Azure cloud, deployed in the following regions: - AzureCloud.eastus - AzureCloud.eastus2 @@ -239,10 +239,13 @@ Defender for Endpoint is built on Azure cloud, deployed in the following regions - AzureCloud.uksouth - AzureCloud.ukwest -You can find the Azure IP range on [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). +You can find the Azure IP ranges in [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). > [!NOTE] -> As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting. +> As a cloud-based solution, the IP address ranges can change. It's recommended you move to a DNS-based rules. + +> [!NOTE] +> If you are a US Government customer, please see the corresponding section in the [Defender for Endpoint for US Government](gov.md#service-backend-ip-ranges) page. ## Next step From 0943de90581534c2bd10e626df26f73031ac6ab4 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:47:50 +0200 Subject: [PATCH 8/9] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index e4709b7cc2..e40a3ed5d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -136,7 +136,7 @@ Defender for Endpoint for US Government customers is built in the Azure US Gover You can find the Azure IP ranges in [Azure IP Ranges and Service Tags – US Government Cloud](https://www.microsoft.com/download/details.aspx?id=57063). > [!NOTE] -> As a cloud-based solution, the IP address ranges can change. It's recommended you move to a DNS-based rules. +> As a cloud-based solution, the IP address ranges can change. It's recommended you move to DNS-based rules.
From 9b5ce2ca19d56ba9e3265dc1656fa12033abadcd Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:48:14 +0200 Subject: [PATCH 9/9] Update production-deployment.md --- .../microsoft-defender-atp/production-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 3abbeec81e..5a69318c36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -242,7 +242,7 @@ Defender for Endpoint is built in Azure cloud, deployed in the following regions You can find the Azure IP ranges in [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). > [!NOTE] -> As a cloud-based solution, the IP address ranges can change. It's recommended you move to a DNS-based rules. +> As a cloud-based solution, the IP address ranges can change. It's recommended you move to DNS-based rules. > [!NOTE] > If you are a US Government customer, please see the corresponding section in the [Defender for Endpoint for US Government](gov.md#service-backend-ip-ranges) page.