deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 16:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into lsaldanha-4620497-batch10

Browse Source
This commit is contained in:
Lovina Saldanha 2021-01-13 15:27:49 +05:30 committed by GitHub
commit 6e8ffc58c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
65 changed files with 979 additions and 1277 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.openpublishing.publish.config.json
View File

@ -390,7 +390,7 @@
"elizapo@microsoft.com"
],
"sync_notification_subscribers": [
"daniha@microsoft.com"
"dstrome@microsoft.com"
],
"branches_to_filter": [
""
@ -431,9 +431,9 @@
"template_folder": "_themes.pdf"
}
},
"need_generate_pdf": false,
"need_generate_intellisense": false,
"docs_build_engine": {
"name": "docfx_v3"
}
},
"need_generate_pdf": false,
"need_generate_intellisense": false
}

10
.openpublishing.redirection.json
View File

@ -1534,6 +1534,11 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md",
@ -16505,6 +16510,11 @@
"redirect_url": "https://docs.microsoft.com/mem/autopilot/windows-autopilot",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/mbsa-removal-and-guidance.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/hub/windows-10.yml",
"redirect_url": "https://docs.microsoft.com/windows/windows-10",

20
windows/client-management/mdm/defender-csp.md
View File

@ -390,6 +390,26 @@ Intune tamper protection setting UX supports three states:
When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
<a href="" id="configuration-disablelocaladminmerge"></a>**Configuration/DisableLocalAdminMerge**<br>
This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings.
If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator.
> [!NOTE]
> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**.
Supported OS versions: Windows 10
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
- 1 Enable.
- 0 (default) Disable.
<a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.

4
windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
View File

@ -44,7 +44,8 @@ In Windows, after the user confirms the account deletion command and before the
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).
> [!NOTE]
> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
 
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
@ -157,4 +158,3 @@ When the disconnection is completed, the user is notified that the device has be

19
windows/client-management/mdm/vpnv2-csp.md
View File

@ -281,25 +281,6 @@ Valid values:
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
<a href="" id="vpnv2-profilename-lockdown"></a>**VPNv2/**<em>ProfileName</em>**/LockDown** (./Device only profile)
Lockdown profile.
Valid values:
- False (default) - this is not a LockDown profile.
- True - this is a LockDown profile.
When the LockDown profile is turned on, it does the following things:
- First, it automatically becomes an "always on" profile.
- Second, it can never be disconnected.
- Third, if the profile is not connected, then the user has no network.
- Fourth, no other profiles may be connected or modified.
A Lockdown profile must be deleted before you can add, remove, or connect other profiles.
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
<a href="" id="vpnv2-profilename-devicetunnel"></a>**VPNv2/**<em>ProfileName</em>**/DeviceTunnel** (./Device only profile)
Device tunnel profile.

2
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -81,7 +81,7 @@ The following OU structure is used in this guide. Instructions are provided [bel
These steps assume that you have the MDT01 member server running and configured as a domain member server.
On **MTD01**:
On **MDT01**:
Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder):
- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)

2
windows/deployment/upgrade/windows-10-edition-upgrades.md
View File

@ -93,7 +93,7 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported
`changepk.exe /ProductKey <enter your new product key here>`
You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise.
You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/windows-server/get-started/kmsclientkeys). For example, the following command will upgrade to Windows 10 Enterprise.
`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43`

4
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -390,7 +390,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
> [!NOTE]
> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Optional (Full)**. Although the diagnostic data level may initially appear as **Required (Basic)**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Optional (Full)**.
To turn off Insider Preview builds for a released version of Windows 10:
@ -1302,7 +1302,7 @@ To change how frequently **Windows should ask for my feedback**:
To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
- Click either the **Basic** or **Full** options.
- Click either the **Required (Basic)** or **Optional (Full)** options.
-or-

12
windows/privacy/manage-windows-20H2-endpoints.md
View File

@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/17/2020
---
# Manage connection endpoints for Windows 10 Enterprise, version 20H2
**Applies to**
@ -62,7 +63,7 @@ The following methodology was used to derive these network endpoints:
|||HTTPS|s-ring.msedge.net|
|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval)|
|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
|||HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
@ -70,7 +71,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|www.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming)|
|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
|||HTTPS|fs.microsoft.com|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
@ -85,8 +86,7 @@ The following methodology was used to derive these network endpoints:
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2|1storecatalogrevocation.storequality.microsoft.com|
|||HTTPS/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
@ -128,9 +128,9 @@ The following methodology was used to derive these network endpoints:
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store)|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|dlassets-ssl.xboxlive.com|
|
## Other Windows 10 editions

6
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -20,7 +20,7 @@ ms.reviewer:
## Applies to
- Windows 10
- Windows 10 Enterprise
- Windows Server 2016
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
@ -135,7 +135,7 @@ The following table lists qualifications for Windows 10, version 1703, which are
|Protections for Improved Security|Description|Security Benefits
|---|---|---|
|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**: </br> - VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements: </br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. </br> - PE sections must be page-aligned in memory (not required for in non-volatile storage). </br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: </br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both. </br> - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. </br> (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) </br> - Reduces the attack surface to VBS from system firmware.|
|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**: </br> - VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements: </br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. </br> - PE sections must be page-aligned in memory (not required for in non-volatile storage). </br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: </br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both. </br> - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable. </br> (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) </br> - Reduces the attack surface to VBS from system firmware.|
|Firmware: **Firmware support for SMM protection**|**Requirements**: </br> - The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) </br> - Reduces the attack surface to VBS from system firmware. </br> - Blocks additional security attacks against SMM.|
> [!IMPORTANT]
@ -148,7 +148,7 @@ The following table lists qualifications for Windows 10, version 1703, which are
>
> Please also note the following:
>
> - Do not use sections that are both writeable and executable
> - Do not use sections that are both writable and executable
>
> - Do not attempt to directly modify executable system memory
>

4
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -732,11 +732,11 @@ function IsDomainController
function CheckOSSKU
{
$osname = $((gwmi win32_operatingsystem).Name).ToLower()
$osname = $((Get-ComputerInfo).WindowsProductName).ToLower()
$_SKUSupported = 0
Log "OSNAME:$osname"
$SKUarray = @("Enterprise", "Education", "IoT", "Windows Server")
$HLKAllowed = @("microsoft windows 10 pro")
$HLKAllowed = @("windows 10 pro")
foreach ($SKUent in $SKUarray)
{
if($osname.ToString().Contains($SKUent.ToLower()))

8
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -15,7 +15,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 03/05/2020
ms.date: 01/12/2021
---
# Windows Hello biometrics in the enterprise
@ -53,7 +53,7 @@ The biometric data used to support Windows Hello is stored on the local device o
## Has Microsoft set any device requirements for Windows Hello?
We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm.
- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
@ -81,6 +81,10 @@ To allow facial recognition, you must have devices with integrated special infra
- Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
> [!NOTE]
>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesnt allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
## Related topics
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)

4
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -39,9 +39,9 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
> [!NOTE]
>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions".
> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch PowerShell as an administrator.

6
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -14,7 +14,7 @@ metadata:
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
ms.date: 01/12/2021
ms.reviewer:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
@ -138,6 +138,10 @@ sections:
answer: |
Starting in Windows 10, version 1709, you can use multi-factor unlock to require users to provide an additional factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
- question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
answer: |
Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesnt allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
- question: What's the difference between Windows Hello and Windows Hello for Business?
answer: |
Windows Hello represents the biometric framework provided in Windows 10. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.

200
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -16,9 +16,10 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Using Certificates for AADJ On-premises Single-sign On
**Applies to**
**Applies to:**
- Windows 10
- Azure Active Directory joined
- Hybrid Deployment
@ -55,7 +56,7 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u
- Encryption
- Signature and Encryption
If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates.
If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
### Network Requirements
All communication occurs securely over port 443.
@ -65,7 +66,7 @@ Successful authentication to on-premises resources using a certificate requires
Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes.
To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
### Verify AAD Connect version
Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
@ -100,8 +101,8 @@ Sign-in to a domain controller or management workstation with access equivalent
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**.
2. Expand the domain node from the navigation pane.
3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
2. Expand the domain node from the navigation pane.
3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog.
> [!NOTE]
@ -121,7 +122,7 @@ Sign-in to a domain controller or management workstation with access equivalent
> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
### Create the NDES Service User Rights Group Policy object
The Group Policy object ensures the NDES Service account has the proper user right assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through Group Policy.
The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy.
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
@ -138,7 +139,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
11. Close the **Group Policy Management Editor**.
### Configure security for the NDES Service User Rights Group Policy object
The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.
The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
@ -177,7 +178,7 @@ When deploying certificates using Microsoft Intune, you have the option of provi
Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
1. Open and elevated command prompt. Type the command
1. Open an elevated command prompt and type the following command:
```
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
```
@ -188,35 +189,41 @@ NDES uses a server authentication certificate to authenticate the server endpoin
Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
**Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
5. On the **Subject** tab, select **Supply in the request**.
6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
7. On the **Security** tab, click **Add**.
8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
10. Click on the **Apply** to save changes and close the console.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
5. On the **Subject** tab, select **Supply in the request**.
6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
7. On the **Security** tab, click **Add**.
8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
10. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template
During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
**Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
8. On the **Subject** tab, select **Supply in the request**.
9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
13. Close the console.
### Publish certificate templates
@ -270,8 +277,8 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
* **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png)
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
> [!Important]
> The .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
> [!IMPORTANT]
> .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png)
### Configure the NDES service account
@ -280,19 +287,23 @@ This task adds the NDES service account to the local IIS_USRS group. The task a
#### Add the NDES service account to the IIS_USRS group
Sign-in the NDES server with access equivalent to _local administrator_.
1. Start the **Local Users and Groups** management console (lusrmgr.msc).
1. Start the **Local Users and Groups** management console (`lusrmgr.msc`).
2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
4. Close the management console.
#### Register a Service Principal Name on the NDES Service account
Sign-in the NDES server with a access equivalent to _Domain Admins_.
Sign-in the NDES server with access equivalent to _Domain Admins_.
1. Open an elevated command prompt.
2. Type the following command to register the service principal name<br>
```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]```<br>
where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following.<br>
```setspn -s http/ndes.corp.contoso.com contoso\ndessvc```
2. Type the following command to register the service principal name
```
setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
```
where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following:
```
setspn -s http/ndes.corp.contoso.com contoso\ndessvc
```
> [!NOTE]
> If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
@ -306,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
1. Open **Active Directory Users and Computers**
2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png)
![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png)
3. Select **Trust this user for delegation to specified services only**.
4. Select **Use any authentication protocol**.
5. Click **Add**.
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**.
![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
7. Repeat steps 5 and 6 for each NDES server using this service account.8. Click **Add**.
![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
10. Click **OK**. Close **Active Directory Users and Computers**.
### Configure the NDES Role and Certificate Templates
@ -331,50 +342,54 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
1. Click the **Configure Active Directory Certificate Services on the destination server** link.
2. On the **Credentials** page, click **Next**.
![NDES Installation Credentials](images/aadjcert/ndesconfig01.png)
![NDES Installation Credentials](images/aadjcert/ndesconfig01.png)
3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
![NDES Role Services](images/aadjcert/ndesconfig02.png)
4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...** Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png)
![NDES Role Services](images/aadjcert/ndesconfig02.png)
4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png)
5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
![NDES CA selection](images/aadjcert/ndesconfig04.png)
![NDES CA selection](images/aadjcert/ndesconfig04.png)
6. On the **RA Information**, click **Next**.
7. On the **Cryptography for NDES** page, click **Next**.
8. Review the **Confirmation** page. Click **Configure**.
![NDES Confirmation](images/aadjcert/ndesconfig05.png)
![NDES Confirmation](images/aadjcert/ndesconfig05.png)
8. Click **Close** after the configuration completes.
#### Configure Certificate Templates on NDES
A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values.
A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values.
* Digital Signature
* Key Encipherment
* Key Encipherment, Digital Signature
Each value maps to a registry value name in the NDES server. The NDES server translate an incoming SCEP provide value into the correspond certificate template. The table belows shows the SCEP profile value to the NDES certificate template registry value name
Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names.
|SCEP Profile Key usage| NDES Registry Value Name|
|:----------:|:-----------------------:|
|Digital Signature|SignatureTemplate|
|Key Encipherment|EncryptionTemplate|
|Key Encipherment<br>Digital Signature|GeneralPurposeTemplate|
| SCEP Profile Key usage| NDES Registry Value Name |
| :-------------------: | :----------------------: |
| Digital Signature | SignatureTemplate |
| Key Encipherment | EncryptionTemplate |
| Key Encipherment<br>Digital Signature | GeneralPurposeTemplate |
Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
Ideally, you should match the certificate request with the registry value name to keep the configuration intuitive (encryption certificates use the encryption template, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in the NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
Sign-in to the NDES Server with _local administrator_ equivalent credentials.
1. Open an elevated command prompt.
2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
3. Type the following command<br>
```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]```<br>
where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:<br>
```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication```<br>
3. Type the following command:
```
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
```
where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
```
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
```
4. Type **Y** when the command asks for permission to overwrite the existing value.
5. Close the command prompt.
> [!IMPORTANT]
> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (certtmpl.msc).
> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`).
### Create a Web Application Proxy for the internal NDES URL.
Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
@ -395,7 +410,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
> [!IMPORTANT]
> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
@ -412,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
6. Click **Save**.
@ -426,18 +441,18 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Configure an app**.
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
8. Select **Passthrough** from the **Pre Authentication** list.
9. Select **NDES WHFB Connectors** from the **Connector Group** list.
10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
11. Click **Add**.
12. Sign-out of the Azure Portal.
> [!IMPORTANT]
> Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate.
### Enroll the NDES-Intune Authentication certificate
This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.
@ -450,7 +465,7 @@ Sign-in the NDES server with access equivalent to _local administrators_.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
9. Click **Enroll**
@ -463,12 +478,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
3. Click **Bindings...*** under **Actions**. Click **Add**.
![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png)
![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png)
4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png)
![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png)
6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box.
8. Close **Internet Information Services (IIS) Manager**.
@ -487,10 +502,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
#### Test the NDES web server
1. Open **Internet Explorer**.
2. In the navigation bar, type
```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
```
https://[fqdnHostName]/certsrv/mscep/mscep.dll
```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page similar to the following should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png)
@ -510,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png)
![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png)
4. Select **Allow unlisted file name extensions**.
5. Select **Allow unlisted verbs**.
6. Select **Allow high-bit characters**.
@ -521,9 +538,11 @@ Sign-in the NDES server with access equivalent to _local administrator_.
#### Configure Parameters for HTTP.SYS
1. Open an elevated command prompt.
2. Run the following commands <br>
```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
2. Run the following commands:
```
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
```
3. Restart the NDES server.
## Download, Install and Configure the Intune Certificate Connector
@ -535,7 +554,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
![Intune Certificate Authority](images/aadjcert/profile01.png)
![Intune Certificate Authority](images/aadjcert/profile01.png)
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
5. Sign-out of the Microsoft Endpoint Manager admin center.
@ -552,14 +571,16 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png)
7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png)
> [!NOTE]
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png)
> [!NOTE]
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png)
@ -568,6 +589,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
Sign-in the NDES server with access equivalent to _domain administrator_.
1. The **NDES Connector** user interface should be open from the last task.
> [!NOTE]
> If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
@ -576,8 +598,9 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png)
> [!IMPORTANT]
> The user account must have a valid Intune licenese assigned. If the user account does not have a valid Intune license, the sign-in fails.
> The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails.
4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task.
@ -591,30 +614,34 @@ Sign-in the certificate authority used by the NDES Connector with access equival
1. Start the **Certification Authority** management console.
2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png)
![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png)
4. Close the **Certification Authority**
#### Enable the NDES Connector for certificate revocation
Sign-in the NDES server with access equivalent to _domain administrator_.
1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
2. Click the **Advanced** tab. Select **Specify a different account username and password**. TYpe the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png)
2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png)
3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
### Test the NDES Connector
Sign-in the NDES server with access equivalent to _domain admin_.
1. Open a command prompt.
2. Type the following command to confirm the NDES Connector's last connection time is current.</br>
```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```</br>
2. Type the following command to confirm the NDES Connector's last connection time is current.
```
reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
```
3. Close the command prompt.
4. Open **Internet Explorer**.
5. In the navigation bar, type</br>
```https://[fqdnHostName]/certsrv/mscep/mscep.dll```</br>
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.</br>
A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
5. In the navigation bar, type:
```
https://[fqdnHostName]/certsrv/mscep/mscep.dll
```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
@ -629,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**.
6. Provide a **Group description**, if applicable.
7. Select **Assigned** from the **Membership type** list.
![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png)
![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png)
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
9. Click **Create**.
@ -646,6 +673,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
8. Select **User** as a certificate type.
9. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT]
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
@ -669,7 +697,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Click **WHFB Certificate Enrollment**.
4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png)
![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png)
6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
7. Click **Review + Save**, and then **Save**.
@ -679,7 +707,7 @@ You have successfully completed the configuration. Add users that need to enrol
> [!div class="checklist"]
> * Requirements
> * Prepare Azure AD Connect
> * Prepare the Network Device Enrollment Services (NDES) Service Acccount
> * Prepare the Network Device Enrollment Services (NDES) Service Account
> * Prepare Active Directory Certificate Authority
> * Install and Configure the NDES Role
> * Configure Network Device Enrollment Services to work with Microsoft Intune

11
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -65,14 +65,17 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
7. Restart the AD FS server.
> [!NOTE]
>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch Powershell as Administrator.
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier is equal to 38aa3b87-a06d-4817-b275-7a316988d93b and make a note of the ObjectIdentifier.
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
> 4. Launch PowerShell as an administrator.
> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b":
> ```PowerShell
> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
> ```
> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
> 7. Restart the ADFS service.
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.

4
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -20,9 +20,9 @@ ms.custom: bitlocker
# BitLocker Group Policy settings
**Applies to**
**Applies to:**
- Windows 10
- Windows 10, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2
This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.

4
windows/security/threat-protection/TOC.md
View File

@ -195,8 +195,7 @@
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
@ -1334,7 +1333,6 @@
#### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md)
##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)

17
windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -1,13 +1,12 @@
---
title: WDAC and virtualization-based code integrity (Windows 10)
description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
title: Windows Defender Application Control and virtualization-based code integrity (Windows 10)
description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
keywords: virtualization, security, malware, device guard
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 07/01/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -19,24 +18,24 @@ ms.custom: asr
- Windows 10
- Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices.
Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organizations digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? Thats because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organizations digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? Thats because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
## Windows Defender Application Control
When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems cant meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldnt use configurable code integrity either.
When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems cant meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldnt use configurable code integrity either.
Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
We hope this change will help us better communicate options for adopting application control within an organization.
## Related articles

44
windows/security/threat-protection/mbsa-removal-and-guidance.md
View File

@ -1,44 +0,0 @@
---
title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
keywords: MBSA, security, removal
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
author: dulcemontemayor
ms.date: 10/05/2018
ms.reviewer:
manager: dansimp
---
# What is Microsoft Baseline Security Analyzer and its uses?
Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
> [!NOTE]
> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
## The Solution
A script can help you with an alternative to MBSAs patch-compliance checking:
- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be).
For example:
[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
[![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
## More Information
For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
- [Windows security baselines](windows-security-baselines.md)
- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
- [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/)

124
windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
View File

@ -21,136 +21,38 @@ manager: dansimp
You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
This topic describes some common mistake that you should avoid when defining exclusions.
This article describes some common mistake that you should avoid when defining exclusions.
Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
## Excluding certain trusted items
There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
**Do not add exclusions for the following folder locations:**
Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious.
- %systemdrive%
- C:
- C:\
- C:\*
- %ProgramFiles%\Java
- C:\Program Files\Java
- %ProgramFiles%\Contoso\
- C:\Program Files\Contoso\
- %ProgramFiles(x86)%\Contoso\
- C:\Program Files (x86)\Contoso\
- C:\Temp
- C:\Temp\
- C:\Temp\*
- C:\Users\
- C:\Users\*
- C:\Users\<UserProfileName>\AppData\Local\Temp\
- C:\Users\<UserProfileName>\AppData\LocalLow\Temp\
- C:\Users\<UserProfileName>\AppData\Roaming\Temp\
- %Windir%\Prefetch
- C:\Windows\Prefetch
- C:\Windows\Prefetch\
- C:\Windows\Prefetch\*
- %Windir%\System32\Spool
- C:\Windows\System32\Spool
- C:\Windows\System32\CatRoot2
- %Windir%\Temp
- C:\Windows\Temp
- C:\Windows\Temp\
- C:\Windows\Temp\*
Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table:
**Do not add exclusions for the following file extensions:**
- .7zip
- .bat
- .bin
- .cab
- .cmd
- .com
- .cpl
- .dll
- .exe
- .fla
- .gif
- .gz
- .hta
- .inf
- .java
- .jar
- .job
- .jpeg
- .jpg
- .js
- .ko
- .ko.gz
- .msi
- .ocx
- .png
- .ps1
- .py
- .rar
- .reg
- .scr
- .sys
- .tar
- .tmp
- .url
- .vbe
- .vbs
- .wsf
- .zip
| Folder locations | File extensions | Processes |
|:--|:--|:--|
| `%systemdrive%` <br/> `C:`<br/> `C:\` <br/> `C:\*` <br/> `%ProgramFiles%\Java` <br/> `C:\Program Files\Java` <br/> `%ProgramFiles%\Contoso\` <br/> `C:\Program Files\Contoso\` <br/> `%ProgramFiles(x86)%\Contoso\` <br/> `C:\Program Files (x86)\Contoso\` <br/> `C:\Temp` <br/> `C:\Temp\` <br/> `C:\Temp\*` <br/> `C:\Users\` <br/> `C:\Users\*` <br/> `C:\Users\<UserProfileName>\AppData\Local\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\LocalLow\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\Roaming\Temp\` <br/> `%Windir%\Prefetch` <br/> `C:\Windows\Prefetch` <br/> `C:\Windows\Prefetch\` <br/> `C:\Windows\Prefetch\*` <br/> `%Windir%\System32\Spool` <br/> `C:\Windows\System32\Spool` <br/> `C:\Windows\System32\CatRoot2` <br/> `%Windir%\Temp` <br/> `C:\Windows\Temp` <br/> `C:\Windows\Temp\` <br/> `C:\Windows\Temp\*` | `.7zip` <br/> `.bat` <br/> `.bin` <br/> `.cab` <br/> `.cmd` <br/> `.com` <br/> `.cpl` <br/> `.dll` <br/> `.exe` <br/> `.fla` <br/> `.gif` <br/> `.gz` <br/> `.hta` <br/> `.inf` <br/> `.java` <br/> `.jar` <br/> `.job` <br/> `.jpeg` <br/> `.jpg` <br/> `.js` <br/> `.ko` <br/> `.ko.gz` <br/> `.msi` <br/> `.ocx` <br/> `.png` <br/> `.ps1` <br/> `.py` <br/> `.rar` <br/> `.reg` <br/> `.scr` <br/> `.sys` <br/> `.tar` <br/> `.tmp` <br/> `.url` <br/> `.vbe` <br/> `.vbs` <br/> `.wsf` <br/> `.zip` | `AcroRd32.exe` <br/> `bitsadmin.exe` <br/> `excel.exe` <br/> `iexplore.exe` <br/> `java.exe` <br/> `outlook.exe` <br/> `psexec.exe` <br/> `powerpnt.exe` <br/> `powershell.exe` <br/> `schtasks.exe` <br/> `svchost.exe` <br/>`wmic.exe` <br/> `winword.exe` <br/> `wuauclt.exe` <br/> `addinprocess.exe` <br/> `addinprocess32.exe` <br/> `addinutil.exe` <br/> `bash.exe` <br/> `bginfo.exe`[1] <br/>`cdb.exe` <br/> `csi.exe` <br/> `dbghost.exe` <br/> `dbgsvc.exe` <br/> `dnx.exe` <br/> `fsi.exe` <br/> `fsiAnyCpu.exe` <br/> `kd.exe` <br/> `ntkd.exe` <br/> `lxssmanager.dll` <br/> `msbuild.exe`[2] <br/> `mshta.exe` <br/> `ntsd.exe` <br/> `rcsi.exe` <br/> `system.management.automation.dll` <br/> `windbg.exe` |
>[!NOTE]
> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
**Do not add exclusions for the following processes:**
- AcroRd32.exe
- bitsadmin.exe
- excel.exe
- iexplore.exe
- java.exe
- outlook.exe
- psexec.exe
- powerpnt.exe
- powershell.exe
- schtasks.exe
- svchost.exe
- wmic.exe
- winword.exe
- wuauclt.exe
- addinprocess.exe
- addinprocess32.exe
- addinutil.exe
- bash.exe
- bginfo.exe[1]
- cdb.exe
- csi.exe
- dbghost.exe
- dbgsvc.exe
- dnx.exe
- fsi.exe
- fsiAnyCpu.exe
- kd.exe
- ntkd.exe
- lxssmanager.dll
- msbuild.exe[2]
- mshta.exe
- ntsd.exe
- rcsi.exe
- system.management.automation.dll
- windbg.exe
> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
## Using just the file name in the exclusion list
A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**.
A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`.
## Using a single exclusion list for multiple server workloads
Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
## Related topics
## Related articles
- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ ms.date: 10/22/2020
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).

4
windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
View File

@ -10,7 +10,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 03/12/2020
ms.reviewer:
manager: dansimp
---
@ -41,8 +40,11 @@ Defining exclusions lowers the protection offered by Microsoft Defender Antiviru
The following is a list of recommendations that you should keep in mind when defining exclusions:
- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
## Related articles

426
windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
View File

@ -12,7 +12,6 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
ms.date: 10/21/2020
---
# Configure and validate exclusions based on file extension and folder location
@ -29,40 +28,37 @@ ms.date: 10/21/2020
## Exclusion lists
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
Exclusion | Examples | Exclusion list
---|---|---
Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test` | Extension exclusions
Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
| Exclusion | Examples | Exclusion list |
|:---|:---|:---|
|Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test` | Extension exclusions |
|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions |
| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions |
| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
Exclusion lists have the following characteristics:
- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions apply to any file name with the defined extension if a path or folder is not defined.
>[!IMPORTANT]
>Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
>
>You cannot exclude mapped network drives. You must specify the actual network path.
>
>Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
> [!IMPORTANT]
> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
> - You cannot exclude mapped network drives. You must specify the actual network path.
> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
>[!IMPORTANT]
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
> [!IMPORTANT]
> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> Changes made in the Windows Security app **will not show** in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
@ -85,32 +81,30 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
>[!NOTE]
>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
4. Double-click the **Path Exclusions** setting and add the exclusions.
4. Open the **Path Exclusions** setting for editing, and add your exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
5. Choose **OK**.
![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
6. Double-click the **Extension Exclusions** setting and add the exclusions.
6. Open the **Extension Exclusions** setting for editing and add your exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Under the **Options** section, select **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**.
![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
7. Choose **OK**.
<a id="ps"></a>
@ -126,21 +120,21 @@ The format for the cmdlets is as follows:
The following are allowed as the `<cmdlet>`:
Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove item from the list | `Remove-MpPreference`
| Configuration action | PowerShell cmdlet |
|:---|:---|
|Create or overwrite the list | `Set-MpPreference` |
|Add to the list | `Add-MpPreference` |
|Remove item from the list | `Remove-MpPreference` |
The following are allowed as the `<exclusion list>`:
Exclusion type | PowerShell parameter
---|---
All files with a specified file extension | `-ExclusionExtension`
All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
| Exclusion type | PowerShell parameter |
|:---|:---|
| All files with a specified file extension | `-ExclusionExtension` |
| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` |
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
> [!IMPORTANT]
> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file with the `.test` file extension:
@ -175,29 +169,26 @@ See [Add exclusions in the Windows Security app](microsoft-defender-security-cen
You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
>[!IMPORTANT]
>There are key limitations and usage scenarios for these wildcards:
>
>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
>- You cannot use a wildcard in place of a drive letter.
>- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
> [!IMPORTANT]
> There are key limitations and usage scenarios for these wildcards:
> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
> - You cannot use a wildcard in place of a drive letter.
> - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
|Wildcard |Examples |
|---------|---------|
|:---------|:---------|
|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark) <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables <br/><br/>The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
>[!IMPORTANT]
>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
>
>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
>
>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
> [!IMPORTANT]
> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
<a id="review"></a>
@ -205,273 +196,68 @@ The following table describes how the wildcards can be used and provides some ex
The following table lists and describes the system account environment variables.
<table border="0" cellspacing="0" cellpadding="20">
<thead>
<tr>
<th valign="top">System environment variables</th>
<th valign="top">Will redirect to:</th>
</tr>
</thead><tbody>
<tr>
<td valign="top">%APPDATA%</td>
<td valign="top">C:\Users\UserName.DomainName\AppData\Roaming</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Internet Explorer\Quick Launch</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Windows\Start Menu</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Windows\Start Menu\Programs</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA% </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local</td>
</tr>
<tr>
<td valign="top">%ProgramData%</td>
<td valign="top">C:\ProgramData</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%</td>
<td valign="top">C:\Program Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Common Files </td>
<td valign="top">C:\Program Files\Common Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Windows Sidebar\Gadgets </td>
<td valign="top">C:\Program Files\Windows Sidebar\Gadgets</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Common Files</td>
<td valign="top">C:\Program Files\Common Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles(x86)% </td>
<td valign="top">C:\Program Files (x86)</td>
</tr>
<tr>
<td valign="top">%ProgramFiles(x86)%\Common Files </td>
<td valign="top">C:\Program Files (x86)\Common Files</td>
</tr>
<tr>
<td valign="top">%SystemDrive%</td>
<td valign="top">C:</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Program Files</td>
<td valign="top">C:\Program Files</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Program Files (x86) </td>
<td valign="top">C:\Program Files (x86)</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Users </td>
<td valign="top">C:\Users</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Users\Public</td>
<td valign="top">C:\Users\Public</td>
</tr>
<tr>
<td valign="top">%SystemRoot%</td>
<td valign="top"> C:\Windows</td>
</tr>
<tr>
<td valign="top">%windir%</td>
<td valign="top">C:\Windows</td>
</tr>
<tr>
<td valign="top">%windir%\Fonts</td>
<td valign="top">C:\Windows\Fonts</td>
</tr>
<tr>
<td valign="top">%windir%\Resources </td>
<td valign="top">C:\Windows\Resources</td>
</tr>
<tr>
<td valign="top">%windir%\resources\0409</td>
<td valign="top">C:\Windows\resources\0409</td>
</tr>
<tr>
<td valign="top">%windir%\system32</td>
<td valign="top">C:\Windows\System32</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%</td>
<td valign="top">C:\ProgramData</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Application Data</td>
<td valign="top">C:\ProgramData\Application Data</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents</td>
<td valign="top">C:\ProgramData\Documents</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Music\Sample Music</td>
<td valign="top">
<p>C:\ProgramData\Documents\My Music\Sample Music</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Music </td>
<td valign="top">C:\ProgramData\Documents\My Music</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Pictures </td>
<td valign="top">
<p>C:\ProgramData\Documents\My Pictures
</p>
</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures </td>
<td valign="top">C:\ProgramData\Documents\My Pictures\Sample Pictures</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Videos </td>
<td valign="top">C:\ProgramData\Documents\My Videos</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\DeviceMetadataStore</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\GameExplorer</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Ringtones</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs </td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools</td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Templates </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Templates</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu </td>
<td valign="top">C:\ProgramData\Start Menu</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu\Programs </td>
<td valign="top">C:\ProgramData\Start Menu\Programs</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools </td>
<td valign="top">C:\ProgramData\Start Menu\Programs\Administrative Tools</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Templates </td>
<td valign="top">C:\ProgramData\Templates</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA%\Microsoft\Windows\History </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History</td>
</tr>
<tr>
<td valign="top">
<p>
%PUBLIC% </p>
</td>
<td valign="top">C:\Users\Public</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\AccountPictures </td>
<td valign="top">C:\Users\Public\AccountPictures</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Desktop </td>
<td valign="top">C:\Users\Public\Desktop</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Documents </td>
<td valign="top">C:\Users\Public\Documents</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Downloads </td>
<td valign="top">C:\Users\Public\Downloads</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Music\Sample Music </td>
<td valign="top">
<p>C:\Users\Public\Music\Sample Music</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Music\Sample Playlists </td>
<td valign="top">
<p>C:\Users\Public\Music\Sample Playlists</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Pictures\Sample Pictures </td>
<td valign="top">C:\Users\Public\Pictures\Sample Pictures</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\RecordedTV.library-ms</td>
<td valign="top">C:\Users\Public\RecordedTV.library-ms</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Videos</td>
<td valign="top">C:\Users\Public\Videos</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Videos\Sample Videos</td>
<td valign="top">
<p>C:\Users\Public\Videos\Sample Videos</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%USERPROFILE% </td>
<td valign="top">C:\Windows\System32\config\systemprofile</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\Local </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\LocalLow </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\LocalLow</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\Roaming </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming</td>
</tr>
</tbody>
</table>
| This system environment variable... | Redirects to this |
|:--|:--|
| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` |
| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` |
| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` |
| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` |
| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
| `%ProgramData%` | `C:\ProgramData` |
| `%ProgramFiles%` | `C:\Program Files` |
| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` |
| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` |
| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` |
| `%SystemDrive%` | `C:` |
| `%SystemDrive%\Program Files` | `C:\Program Files` |
| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` |
| `%SystemDrive%\Users` | `C:\Users` |
| `%SystemDrive%\Users\Public` | `C:\Users\Public` |
| `%SystemRoot%` | `C:\Windows` |
| `%windir%` | `C:\Windows` |
| `%windir%\Fonts` | `C:\Windows\Fonts` |
| `%windir%\Resources` | `C:\Windows\Resources` |
| `%windir%\resources\0409` | `C:\Windows\resources\0409` |
| `%windir%\system32` | `C:\Windows\System32` |
| `%ALLUSERSPROFILE%` | `C:\ProgramData` |
| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` |
| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` |
| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` |
| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` |
| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` |
| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` |
| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` |
| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` |
| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs |
| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` |
| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` |
| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` |
| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` |
| `%PUBLIC%` | `C:\Users\Public` |
| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` |
| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` |
| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` |
| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` |
| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` |
| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` |
| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` |
| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` |
| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` |
| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` |
| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` |
| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` |
| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` |
## Review the list of exclusions
@ -490,7 +276,7 @@ You can retrieve the items in the exclusion list using one of the following meth
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line.
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.

16
windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
View File

@ -77,8 +77,6 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
5. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
@ -106,11 +104,11 @@ For example, the following code snippet would cause Microsoft Defender AV scans
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true).
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender).
### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
```WMI
ExclusionProcess
@ -118,7 +116,7 @@ ExclusionProcess
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
### Use the Windows Security app to exclude files that have been opened by specified processes from scans
@ -154,8 +152,8 @@ To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://
MpCmdRun.exe -CheckExclusion -path <path>
```
>[!NOTE]
>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
> [!NOTE]
> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
@ -166,7 +164,7 @@ Use the following cmdlet:
Get-MpPreference
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### Retrieve a specific exclusions list by using PowerShell
@ -177,7 +175,7 @@ $WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Related articles

22
windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@ -39,20 +39,20 @@ To configure these settings:
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings.
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
|Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled|
|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days |
|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) |
|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed |
|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable |
|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable |
> [!IMPORTANT]
> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.

44
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -19,6 +19,10 @@ ms.custom: nextgen
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
@ -200,43 +204,11 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
#### Hyper-V exclusions
This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
- File type exclusions:
- `*.vhd`
- `*.vhdx`
- `*.avhd`
- `*.avhdx`
- `*.vsv`
- `*.iso`
- `*.rct`
- `*.vmcx`
- `*.vmrs`
- Folder exclusions:
- `%ProgramData%\Microsoft\Windows\Hyper-V`
- `%ProgramFiles%\Hyper-V`
- `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
- `%Public%\Documents\Hyper-V\Virtual Hard Disks`
- Process exclusions:
- `%systemroot%\System32\Vmms.exe`
- `%systemroot%\System32\Vmwp.exe`
|File type exclusions |Folder exclusions | Process exclusions |
|:--|:--|:--|
| `*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe` |
#### SYSVOL files

8
windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@ -29,11 +29,11 @@ Depending on the management tool you are using, you may need to specifically ena
See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
## Related topics
## Related articles
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)

20
windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
ms.date: 11/30/2020
ms.date: 01/08/2021
ms.reviewer:
manager: dansimp
---
@ -110,19 +110,23 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
#### Use Group Policy to configure PUA protection
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**.
1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
3. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
3. Select the Group Policy Object you want to configure, and then choose **Edit**.
4. Double-click **Configure detection for potentially unwanted applications**.
4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
5. Select **Enabled** to enable PUA protection.
5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**.
6. Double-click **Configure detection for potentially unwanted applications**.
7. Deploy your Group Policy object as you usually do.
7. Select **Enabled** to enable PUA protection.
8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**.
9. Deploy your Group Policy object as you usually do.
#### Use PowerShell cmdlets to configure PUA protection

2
windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
View File

@ -21,7 +21,7 @@ ms.custom: nextgen
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> [!NOTE]
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
ms.reviewer: pahuijbr
manager: dansimp
---

6
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Manage how and where Microsoft Defender AV receives updates
title: Manage how and where Microsoft Defender Antivirus receives updates
description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
@ -10,7 +10,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.reviewer:
ms.reviewer: pahuijbr
manager: dansimp
ms.custom: nextgen
---
@ -170,7 +170,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence
MD C:\Temp\TempSigs\x86
```
3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
4. Click **Manual Download**.

176
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -11,9 +11,9 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
ms.reviewer: pahuijbr
manager: dansimp
ms.date: 12/05/2020
ms.date: 01/07/2021
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@ -47,7 +47,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
For a list of recent security intelligence updates, please visit: [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes).
For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes).
Engine updates are included with security intelligence updates and are released on a monthly cadence.
@ -64,17 +64,17 @@ You can manage the distribution of updates through one of the following methods:
For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
> [!NOTE]
> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.
> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
## Monthly platform and engine versions
For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
All our updates contain
- performance improvements;
- serviceability improvements; and
- integration improvements (Cloud, Microsoft 365 Defender).
<br/>
<br/><br/>
<details>
@ -87,6 +87,7 @@ All our updates contain
&ensp;Support phase: **Security and Critical Updates**
### What's new
- Improved SmartScreen status support logging
- Apply CPU throttling policy to manually initiated scans
@ -103,12 +104,14 @@ No known issues
&ensp;Support phase: **Security and Critical Updates**
### What's new
- New descriptions for special threat categories
- Improved emulation capabilities
- Improved host address allow/block capabilities
- New option in Defender CSP to Ignore merging of local user exclusions
### Known Issues
No known issues
<br/>
</details><details>
@ -121,6 +124,7 @@ No known issues
&ensp;Support phase: **Security and Critical Updates**
### What's new
- Admin permissions are required to restore files in quarantine
- XML formatted events are now supported
- CSP support for ignoring exclusion merges
@ -132,9 +136,16 @@ No known issues
- Improved Office VBA module scanning
### Known Issues
No known issues
<br/>
</details>
### Previous version updates: Technical upgrade support only
After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
<br/><br/>
<details>
<summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
@ -142,7 +153,6 @@ No known issues
&ensp;Released: **August 27, 2020**
&ensp;Platform: **4.18.2008.9**
&ensp;Engine: **1.1.17400.5**
&ensp;Support phase: **Security and Critical Updates**
### What's new
@ -166,11 +176,12 @@ No known issues
&ensp;Released: **July 28, 2020**
&ensp;Platform: **4.18.2007.8**
&ensp;Engine: **1.1.17300.4**
&ensp;Support phase: **Security and Critical Updates**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* Improved telemetry for BITS
* Improved Authenticode code signing certificate validation
- Improved telemetry for BITS
- Improved Authenticode code signing certificate validation
### Known Issues
No known issues
@ -184,15 +195,16 @@ No known issues
&ensp;Released: **June 22, 2020**
&ensp;Platform: **4.18.2006.10**
&ensp;Engine: **1.1.17200.2**
&ensp;Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
* Skipping aggressive catchup scan in Passive mode.
* Allow Defender to update on metered connections
* Fixed performance tuning when caching is disabled
* Fixed registry query
* Fixed scantime randomization in ADMX
- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
- Skipping aggressive catchup scan in Passive mode.
- Allow Defender to update on metered connections
- Fixed performance tuning when caching is disabled
- Fixed registry query
- Fixed scantime randomization in ADMX
### Known Issues
No known issues
@ -206,15 +218,16 @@ No known issues
&ensp;Released: **May 26, 2020**
&ensp;Platform: **4.18.2005.4**
&ensp;Engine: **1.1.17100.2**
&ensp;Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* Improved logging for scan events
* Improved user mode crash handling.
* Added event tracing for Tamper protection
* Fixed AMSI Sample submission
* Fixed AMSI Cloud blocking
* Fixed Security update install log
- Improved logging for scan events
- Improved user mode crash handling.
- Added event tracing for Tamper protection
- Fixed AMSI Sample submission
- Fixed AMSI Cloud blocking
- Fixed Security update install log
### Known Issues
No known issues
@ -228,16 +241,16 @@ No known issues
&ensp;Released: **April 30, 2020**
&ensp;Platform: **4.18.2004.6**
&ensp;Engine: **1.1.17000.2**
&ensp;Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* WDfilter improvements
* Add more actionable event data to attack surface reduction detection events
* Fixed version information in diagnostic data and WMI
* Fixed incorrect platform version in UI after platform update
* Dynamic URL intel for Fileless threat protection
* UEFI scan capability
* Extend logging for updates
- WDfilter improvements
- Add more actionable event data to attack surface reduction detection events
- Fixed version information in diagnostic data and WMI
- Fixed incorrect platform version in UI after platform update
- Dynamic URL intel for Fileless threat protection
- UEFI scan capability
- Extend logging for updates
### Known Issues
No known issues
@ -251,15 +264,15 @@ No known issues
&ensp;Released: **March 24, 2020**
&ensp;Platform: **4.18.2003.8**
&ensp;Engine: **1.1.16900.4**
&ensp;Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
* Improve diagnostic capability
* reduce Security intelligence timeout (5 min)
* Extend AMSI engine internal log capability
* Improve notification for process blocking
- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
- Improve diagnostic capability
- reduce Security intelligence timeout (5 min)
- Extend AMSI engine internal log capability
- Improve notification for process blocking
### Known Issues
[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
@ -272,11 +285,11 @@ No known issues
<summary> February-2020 (Platform: - | Engine: 1.1.16800.2)</summary>
Security intelligence update version: **1.311.4.0**
Released: **February 25, 2020**
Platform/Client: **-**
Engine: **1.1.16800.2**
Support phase: **N/A**
&ensp;Security intelligence update version: **1.311.4.0**
&ensp;Released: **February 25, 2020**
&ensp;Platform/Client: **-**
&ensp;Engine: **1.1.16800.2**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
@ -294,24 +307,26 @@ Security intelligence update version: **1.309.32.0**
Released: **January 30, 2020**
Platform/Client: **4.18.2001.10**
Engine: **1.1.16700.2**
Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* Fixed BSOD on WS2016 with Exchange
* Support platform updates when TMP is redirected to network path
* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
* Fix 4.18.1911.3 hang
- Fixed BSOD on WS2016 with Exchange
- Support platform updates when TMP is redirected to network path
- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
- Fix 4.18.1911.3 hang
### Known Issues
[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
<br/>
> [!IMPORTANT]
> This updates is needed by RS1 devices running lower version of the platform to support SHA2. <br/>This update has reboot flag for systems that are experiencing the hang issue.<br/> the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
<br/>
> [!IMPORTANT]
> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update)
> This update is:
> - needed by RS1 devices running lower version of the platform to support SHA2;
> - has a reboot flag for systems that have hanging issues;
> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
> - is categorized as an update due to the reboot requirement; and
> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
<br/>
</details>
@ -326,24 +341,23 @@ Support phase: **No support**
### What's new
* Fixed MpCmdRun tracing level
* Fixed WDFilter version info
* Improve notifications (PUA)
* add MRT logs to support files
- Fixed MpCmdRun tracing level
- Fixed WDFilter version info
- Improve notifications (PUA)
- add MRT logs to support files
### Known Issues
When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
<br/>
</details>
## Microsoft Defender Antivirus platform support
Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
@ -354,22 +368,38 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
|Windows 10 release |Platform version |Engine version |Support phase |
|:---|:---|:---|:---|
|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) |
|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) |
|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) |
|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) |
|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) |
|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) |
|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) |
|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) |
|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) |
|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) |
|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) |
|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) |
|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) |
|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) |
Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
## Updates for Deployment Image Servicing and Management (DISM)
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
<details>
<summary>1.1.2101.02</summary>
&ensp;Package version: **1.1.2101.02**
&ensp;Platform version: **4.18.2011.6**
&ensp;Engine version: **1.17700.4**
&ensp;Signature version: **1.329.1796.0**
### Fixes
- None
### Additional information
- None
<br/>
</details><details>
<summary>1.1.2012.01</summary>
&ensp;Package version: **1.1.2012.01**
@ -427,12 +457,12 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
<br/>
</details>
## See also
## Additional resources
| Article | Description |
|:---|:---|
|[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images) | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images. |
|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. |
|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through many sources. |
|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. |
|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |
|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |

64
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Define how mobile devices are updated by Microsoft Defender AV
description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates.
title: Define how mobile devices are updated by Microsoft Defender Antivirus
description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates.
keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -11,7 +11,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
@ -25,53 +24,56 @@ manager: dansimp
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates.
There are two settings that are particularly useful for these devices:
There are two settings that are useful for these devices:
- Opt-in to Microsoft Update on mobile computers without a WSUS connection
- Opt in to Microsoft Update on mobile computers without a WSUS connection
- Prevent Security intelligence updates when running on battery power
The following topics may also be useful in these situations:
The following articles may also be useful in these situations:
- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
## Opt-in to Microsoft Update on mobile computers without a WSUS connection
## Opt in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
You can opt-in to Microsoft Update on the mobile device in one of the following ways:
You can opt in to Microsoft Update on the mobile device in one of the following ways:
1. Change the setting with Group Policy
2. Use a VBScript to create a script, then run it on each computer in your network.
3. Manually opt-in every computer on your network through the **Settings** menu.
- Change the setting with Group Policy.
- Use a VBScript to create a script, then run it on each computer in your network.
- Manually opt in every computer on your network through the **Settings** menu.
### Use Group Policy to opt-in to Microsoft Update
### Use Group Policy to opt in to Microsoft Update
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Select **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**.
### Use a VBScript to opt-in to Microsoft Update
### Use a VBScript to opt in to Microsoft Update
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
2. Run the VBScript you created on each computer in your network.
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
### Manually opt-in to Microsoft Update
2. Run the VBScript you created on each computer in your network.
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
2. Click **Advanced** options.
3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
### Manually opt in to Microsoft Update
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt in.
2. Select **Advanced** options.
3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
## Prevent Security intelligence updates when running on battery power
@ -79,17 +81,15 @@ You can configure Microsoft Defender Antivirus to only download protection updat
### Use Group Policy to prevent security intelligence updates on battery power
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), choose the Group Policy Object you want to configure, and open it for editing.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Select **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting:
1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**.
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**.
This action prevents protection updates from downloading when the PC is on battery power.
## Related articles

28
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender Antivirus compatibility with other security products
description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using.
keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
description: Get an overview of what to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using.
keywords: windows defender, next-generation, atp, advanced threat protection, compatibility, passive mode
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -11,9 +11,9 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr, shwjha
ms.reviewer: tewchen, pahuijbr, shwjha
manager: dansimp
ms.date: 01/04/2021
ms.date: 01/11/2021
---
# Microsoft Defender Antivirus compatibility
@ -66,32 +66,35 @@ See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-def
## Functionality and features available in each state
The following table summarizes the functionality and features that are available in each state:
The table in this section summarizes the functionality and features that are available in each state.
> [!IMPORTANT]
> The following table is informational, and it is designed to describe the features & capabilities that are turned on or off according to whether Microsoft Defender Antivirus is in Active mode, in Passive mode, or disabled/uninstalled. Do not turn off capabilities, such as real-time protection, if you are using Microsoft Defender Antivirus in passive mode or are using EDR in block mode.
|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
|--|--|--|--|--|--|
|Active mode <br/><br/> |Yes |No |Yes |Yes |Yes |
|Passive mode |Yes |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
|Passive mode |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes |
|Automatic disabled mode |No |Yes |No |No |No |
- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended.
## Keep the following points in mind
If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
When Microsoft Defender Antivirus is automatically disabled, it can automatically re-enabled if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware.
If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode.
If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically.
> [!WARNING]
> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
## See also
@ -100,5 +103,4 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
- [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client)
- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)

4
windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
View File

@ -24,9 +24,9 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Microsoft Defender Antivirus
- Office 365
- Microsoft 365
You might already know that:

26
windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
View File

@ -14,7 +14,7 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 11/19/2020
ms.date: 01/07/2021
---
# Protect security settings with tamper protection
@ -24,8 +24,12 @@ ms.date: 11/19/2020
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Tamper protection is available on devices running the following versions of Windows:
- Windows 10
- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
- Windows Server 2016 and 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
## Overview
@ -74,7 +78,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection.
1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
1. Click **Start**, and start typing *Security*. In the search results, select **Windows Security**.
2. Select **Virus & threat protection** > **Virus & threat protection settings**.
@ -90,7 +94,7 @@ If you are part of your organization's security team, and your subscription incl
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection:
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).)
@ -101,15 +105,15 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
3. Select **Devices** > **Configuration Profiles**.
4. Create a profile as follows:
4. Create a profile that includes the following settings:
- Platform: **Windows 10 and later**
- **Platform: Windows 10 and later**
- Profile type: **Endpoint protection**
- **Profile type: Endpoint protection**
- Category: **Microsoft Defender Security Center**
- **Category: Microsoft Defender Security Center**
- Tamper Protection: **Enabled**
- **Tamper Protection: Enabled**
![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png)
@ -132,7 +136,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
> [!IMPORTANT]
> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
@ -209,7 +213,7 @@ Your regular group policy doesnt apply to tamper protection, and changes to M
### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups.
Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups.
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?

2
windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ ms.custom: nextgen
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.

2
windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
View File

@ -21,7 +21,7 @@ ms.custom: nextgen
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.

6
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -42,6 +42,12 @@ Turn on this feature so that users with the appropriate permissions can start a
For more information about role assignments, see [Create and manage roles](user-roles.md).
## Live response for servers
Turn on this feature so that users with the appropriate permissions can start a live response session on servers.
For more information about role assignments, see [Create and manage roles](user-roles.md).
## Live response unsigned script execution
Enabling this feature allows you to run unsigned scripts in a live response session.

10
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -14,7 +14,7 @@ ms.author: deniseb
ms.reviewer: sugamar, jcedola
manager: dansimp
ms.custom: asr
ms.date: 12/10/2020
ms.date: 01/08/2021
---
# Use attack surface reduction rules to prevent malware infection
@ -243,6 +243,12 @@ Microsoft Endpoint Configuration Manager name: `Block executable content from em
GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
> [!NOTE]
> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use:
> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
> - Endpoint Manager: Block executable content download from email and webmail clients.
> - Group Policy: Block executable content from email client and webmail.
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
@ -462,4 +468,4 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)

10
windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
View File

@ -1,6 +1,6 @@
---
title: Customize controlled folder access
description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -12,7 +12,7 @@ author: denisebmsft
ms.author: deniseb
ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon
manager: dansimp
ms.date: 12/16/2020
ms.date: 01/06/2021
---
# Customize controlled folder access
@ -38,7 +38,7 @@ This article describes how to customize controlled folder access capabilities, a
## Protect additional folders
Controlled folder access applies to a number of system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries.
@ -72,7 +72,7 @@ You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil
### Use PowerShell to protect additional folders
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
@ -125,7 +125,7 @@ An allowed application or service only has write access to a controlled folder a
### Use PowerShell to allow specific apps
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell

50
windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
View File

@ -48,27 +48,27 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
| Mitigation | Description | Can be applied to | Audit mode available |
| ---------- | ----------- | ----------------- | -------------------- |
| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | ![Check mark no](../images/svg/check-no.svg) |
| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | ![Check mark no](../images/svg/check-no.svg) |
| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | ![Check mark no](../images/svg/check-no.svg) |
| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | ![Check mark no](../images/svg/check-no.svg) |
| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | ![Check mark no](../images/svg/check-no.svg) |
| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | ![Check mark no](../images/svg/check-no.svg) |
| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | ![Check mark yes](../images/svg/check-yes.svg)|
| Block remote images | Prevents loading of images from remote devices. | App-level only | ![Check mark no](../images/svg/check-no.svg |
| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | !include[Check mark yes](../images/svg/check-yes.svg) |
| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | ![Check mark no](../images/svg/check-no.svg) |
| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
| Don't allow child processes | Prevents an app from creating child processes. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | ![Check mark no](../images/svg/check-no.svg) |
| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | ![Check mark no](../images/svg/check-no.svg) |
| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) |
> [!IMPORTANT]
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@ -76,10 +76,10 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
>
> | Enabled in **Program settings** | Enabled in **System settings** | Behavior |
> | ------------------------------- | ------------------------------ | -------- |
> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark no](../images/svg/check-no.svg) | As defined in **Program settings** |
> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **Program settings** |
> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **System settings** |
> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | Default as defined in **Use default** option |
>
>
>

51
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
View File

@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
ms.date: 12/14/2020
ms.date: 01/07/2021
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
@ -32,7 +32,7 @@ ms.collection:
## What is EDR in block mode?
When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Defender for Endpoint blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach.
[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled.
@ -43,7 +43,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht
## What happens when something is detected?
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
@ -71,32 +71,61 @@ The following image shows an instance of unwanted software that was detected and
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server 2016 or later |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/><br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. <br/><br/>See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. <br/>In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. <br/> In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined.
> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.
## Frequently asked questions
### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
### Will EDR in block mode have any impact on a user's antivirus protection?
EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), except it also blocks and remediates malicious artifacts or behaviors that are detected.
### Why do I need to keep Microsoft Defender Antivirus up to date?
Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date.
Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date.
### Why do we need cloud protection on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
### How do I set Microsoft Defender Antivirus to passive mode?
See [Enable Microsoft Defender Antivirus and confirm it's in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
### How do I confirm Microsoft Defender Antivirus is in active or passive mode?
To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.
#### Use PowerShell
1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.
2. Type `Get-MpComputerStatus`.
3. In the list of results, in the **AMRunningMode** row, look for one of the following values:
- `Normal`
- `Passive Mode`
- `SxS Passive Mode`
To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus).
#### Use Command Prompt
1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.
2. Type `sc query windefend`.
3. In the list of results, in the **STATE** row, confirm that the service is running.
## See also
- [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)

83
windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
View File

@ -31,13 +31,12 @@ manager: dansimp
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can enable each mitigation separately by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
- [Windows Security app](#windows-security-app)
- [Microsoft Intune](#intune)
- [Mobile Device Management (MDM)](#mdm)
- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
- [Group Policy](#group-policy)
- [PowerShell](#powershell)
Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
@ -47,15 +46,15 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
@ -72,10 +71,10 @@ If you add an app to the **Program settings** section and configure individual m
|Enabled in **Program settings** | Enabled in **System settings** | Behavior |
|:---|:---|:---|
|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
|![Check mark yes](../images/svg/check-yes.svg) | ![Check mark no](../images/svg/check-no.svg) | As defined in **Program settings** |
|![Check mark yes](../images/svg/check-yes.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **Program settings** |
|![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **System settings** |
|![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | Default as defined in **Use default** option |
### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
@ -160,11 +159,8 @@ Get-ProcessMitigation -Name processName.exe
> [!IMPORTANT]
> System-level mitigations that have not been configured will show a status of `NOTSET`.
>
> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
>
> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
> - For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
> - For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
> The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format:
@ -207,31 +203,31 @@ If you need to restore the mitigation back to the system default, you need to in
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
This table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters.
|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
|:---|:---|:---|:---|
|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
|Block remote images | App-level only | BlockRemoteImages | Audit not available
|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
|Disable extension points | App-level only | ExtensionPoint | Audit not available
|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|Validate handle usage | App-level only | StrictHandle | Audit not available |
|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter |
| :-------------- | :--------- | :---------------------------------- | :-------------------------- |
| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available |
| Validate heap integrity | System and app-level | TerminateOnError | Audit not available |
| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode |
| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad |
| Block remote images | App-level only | BlockRemoteImages | Audit not available |
| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly |
| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned |
| Disable extension points | App-level only | ExtensionPoint | Audit not available |
| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall |
| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess |
| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Validate handle usage | App-level only | StrictHandle | Audit not available |
| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a> |
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
@ -239,6 +235,7 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell cmdlets.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.

14
windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.date: 08/28/2020
ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@ -38,20 +38,20 @@ You can set mitigation in audit mode for specific programs either by using the W
### Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply protection to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
1. If the app you want to configure is already listed, select it and then select **Edit**
2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
### PowerShell

308
windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.date: 07/20/2020
ms.date: 01/06/2021
ms.reviewer: cjacks
manager: dansimp
ms.custom: asr
@ -223,7 +223,7 @@ Block low integrity images will prevent the application from loading files that
### Description
Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker.
Blocking remote images helps to prevent the application from loading files that are hosted on a remote device, such as a UNC share. Blocking remote images helps protect against loading binaries into memory that are on an external device controlled by the attacker.
This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error.
@ -257,7 +257,7 @@ The most common use of fonts outside of the system fonts directory is with [web
### Description
Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. Code integrity guard includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process.
@ -275,9 +275,9 @@ This mitigation specifically blocks any binary that is not signed by Microsoft.
### Description
Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
Control flow guard (CFG) mitigates the risk of attackers using memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.
This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.
The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation.
@ -296,7 +296,7 @@ Since applications must be compiled to support CFG, they implicitly declare thei
### Description
Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. DEP helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash.
@ -304,7 +304,7 @@ If you attempt to set the instruction pointer to a memory address not marked as
All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed.
All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
### Configuration options
@ -324,7 +324,7 @@ This includes:
### Compatibility considerations
Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application.
Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application.
### Configuration options
@ -341,7 +341,7 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com
### Compatibility considerations
This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
### Configuration options
@ -379,18 +379,18 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo
### Configuration options
**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules:
**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for other commonly attacked modules:
- mshtml.dll
- flash*.ocx
- jscript*.ocx
- vbscript.dll
- vgx.dll
- mozjs.dll
- xul.dll
- acrord32.dll
- acrofx32.dll
- acroform.api
- `mshtml.dll`
- `flash*.ocx`
- `jscript*.ocx`
- `vbscript.dll`
- `vgx.dll`
- `mozjs.dll`
- `xul.dll`
- `acrord32.dll`
- `acrofx32.dll`
- `acroform.api`
Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.
@ -400,7 +400,7 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t
### Description
Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker using techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect.
@ -427,31 +427,31 @@ The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.
This mitigation protects the following Windows APIs:
- GetProcAddress
- GetProcAddressForCaller
- LoadLibraryA
- LoadLibraryExA
- LoadLibraryW
- LoadLibraryExW
- LdrGetProcedureAddress
- LdrGetProcedureAddressEx
- LdrGetProcedureAddressForCaller
- LdrLoadDll
- VirtualProtect
- VirtualProtectEx
- VirtualAlloc
- VirtualAllocEx
- NtAllocateVirtualMemory
- NtProtectVirtualMemory
- CreateProcessA
- CreateProcessW
- WinExec
- CreateProcessAsUserA
- CreateProcessAsUserW
- GetModuleHandleA
- GetModuleHandleW
- RtlDecodePointer
- DecodePointer
- `GetProcAddress`
- `GetProcAddressForCaller`
- `LoadLibraryA`
- `LoadLibraryExA`
- `LoadLibraryW`
- `LoadLibraryExW`
- `LdrGetProcedureAddress`
- `LdrGetProcedureAddressEx`
- `LdrGetProcedureAddressForCaller`
- `LdrLoadDll`
- `VirtualProtect`
- `VirtualProtectEx`
- `VirtualAlloc`
- `VirtualAllocEx`
- `NtAllocateVirtualMemory`
- `NtProtectVirtualMemory`
- `CreateProcessA`
- `CreateProcessW`
- `WinExec`
- `CreateProcessAsUserA`
- `CreateProcessAsUserW`
- `GetModuleHandleA`
- `GetModuleHandleW`
- `RtlDecodePointer`
- `DecodePointer`
### Compatibility considerations
@ -471,7 +471,7 @@ The size of the 32-bit address space places practical constraints on the entropy
### Compatibility considerations
Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).
Most applications that are compatible with Mandatory ASLR (rebasing) are also compatible with the other entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).
### Configuration options
@ -488,40 +488,40 @@ Simulate execution (SimExec) is a mitigation for 32-bit applications only. This
The APIs intercepted by this mitigation are:
- LoadLibraryA
- LoadLibraryW
- LoadLibraryExA
- LoadLibraryExW
- LdrLoadDll
- VirtualAlloc
- VirtualAllocEx
- NtAllocateVirtualMemory
- VirtualProtect
- VirtualProtectEx
- NtProtectVirtualMemory
- HeapCreate
- RtlCreateHeap
- CreateProcessA
- CreateProcessW
- CreateProcessInternalA
- CreateProcessInternalW
- NtCreateUserProcess
- NtCreateProcess
- NtCreateProcessEx
- CreateRemoteThread
- CreateRemoteThreadEx
- NtCreateThreadEx
- WriteProcessMemory
- NtWriteVirtualMemory
- WinExec
- CreateFileMappingA
- CreateFileMappingW
- CreateFileMappingNumaW
- NtCreateSection
- MapViewOfFile
- MapViewOfFileEx
- MapViewOfFileFromApp
- LdrGetProcedureAddressForCaller
- `LoadLibraryA`
- `LoadLibraryW`
- `LoadLibraryExA`
- `LoadLibraryExW`
- `LdrLoadDll`
- `VirtualAlloc`
- `VirtualAllocEx`
- `NtAllocateVirtualMemory`
- `VirtualProtect`
- `VirtualProtectEx`
- `NtProtectVirtualMemory`
- `HeapCreate`
- `RtlCreateHeap`
- `CreateProcessA`
- `CreateProcessW`
- `CreateProcessInternalA`
- `CreateProcessInternalW`
- `NtCreateUserProcess`
- `NtCreateProcess`
- `NtCreateProcessEx`
- `CreateRemoteThread`
- `CreateRemoteThreadEx`
- `NtCreateThreadEx`
- `WriteProcessMemory`
- `NtWriteVirtualMemory`
- `WinExec`
- `CreateFileMappingA`
- `CreateFileMappingW`
- `CreateFileMappingNumaW`
- `NtCreateSection`
- `MapViewOfFile`
- `MapViewOfFileEx`
- `MapViewOfFileFromApp`
- `LdrGetProcedureAddressForCaller`
If a ROP gadget is detected, the process is terminated.
@ -543,40 +543,40 @@ Validate API invocation (CallerCheck) is a mitigation for return-oriented progra
The APIs intercepted by this mitigation are:
- LoadLibraryA
- LoadLibraryW
- LoadLibraryExA
- LoadLibraryExW
- LdrLoadDll
- VirtualAlloc
- VirtualAllocEx
- NtAllocateVirtualMemory
- VirtualProtect
- VirtualProtectEx
- NtProtectVirtualMemory
- HeapCreate
- RtlCreateHeap
- CreateProcessA
- CreateProcessW
- CreateProcessInternalA
- CreateProcessInternalW
- NtCreateUserProcess
- NtCreateProcess
- NtCreateProcessEx
- CreateRemoteThread
- CreateRemoteThreadEx
- NtCreateThreadEx
- WriteProcessMemory
- NtWriteVirtualMemory
- WinExec
- CreateFileMappingA
- CreateFileMappingW
- CreateFileMappingNumaW
- NtCreateSection
- MapViewOfFile
- MapViewOfFileEx
- MapViewOfFileFromApp
- LdrGetProcedureAddressForCaller
- `LoadLibraryA`
- `LoadLibraryW`
- `LoadLibraryExA`
- `LoadLibraryExW`
- `LdrLoadDll`
- `VirtualAlloc`
- `VirtualAllocEx`
- `NtAllocateVirtualMemory`
- `VirtualProtect`
- `VirtualProtectEx`
- `NtProtectVirtualMemory`
- `HeapCreate`
- `RtlCreateHeap`
- `CreateProcessA`
- `CreateProcessW`
- `CreateProcessInternalA`
- `CreateProcessInternalW`
- `NtCreateUserProcess`
- `NtCreateProcess`
- `NtCreateProcessEx`
- `CreateRemoteThread`
- `CreateRemoteThreadEx`
- `NtCreateThreadEx`
- `WriteProcessMemory`
- `NtWriteVirtualMemory`
- `WinExec`
- `CreateFileMappingA`
- `CreateFileMappingW`
- `CreateFileMappingNumaW`
- `NtCreateSection`
- `MapViewOfFile`
- `MapViewOfFileEx`
- `MapViewOfFileFromApp`
- `LdrGetProcedureAddressForCaller`
If a ROP gadget is detected, the process is terminated.
@ -594,7 +594,7 @@ This mitigation is incompatible with the Arbitrary Code Guard mitigation.
### Description
Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that:
@ -619,7 +619,7 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic
### Description
*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
*Validate handle usage* is a mitigation that helps protect against an attacker using an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
This mitigation is automatically applied to Windows Store applications.
@ -639,7 +639,7 @@ Applications that were not accurately tracking handle references, and which were
The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include:
- Preventing a HEAP handle from being freed
- Performing additional validation on extended block headers for heap allocations
- Performing another validation on extended block headers for heap allocations
- Verifying that heap allocations are not already flagged as in-use
- Adding guard pages to large allocations, heap segments, and subsegments above a minimum size
@ -672,48 +672,48 @@ Compatibility issues are uncommon. Applications that depend on replacing Windows
The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution.
This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
This mitigation intercepts many Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
The APIs intercepted by this mitigation are:
- LoadLibraryA
- LoadLibraryW
- LoadLibraryExA
- LoadLibraryExW
- LdrLoadDll
- VirtualAlloc
- VirtualAllocEx
- NtAllocateVirtualMemory
- VirtualProtect
- VirtualProtectEx
- NtProtectVirtualMemory
- HeapCreate
- RtlCreateHeap
- CreateProcessA
- CreateProcessW
- CreateProcessInternalA
- CreateProcessInternalW
- NtCreateUserProcess
- NtCreateProcess
- NtCreateProcessEx
- CreateRemoteThread
- CreateRemoteThreadEx
- NtCreateThreadEx
- WriteProcessMemory
- NtWriteVirtualMemory
- WinExec
- CreateFileMappingA
- CreateFileMappingW
- CreateFileMappingNumaW
- NtCreateSection
- MapViewOfFile
- MapViewOfFileEx
- MapViewOfFileFromApp
- LdrGetProcedureAddressForCaller
- `LoadLibraryA`
- `LoadLibraryW`
- `LoadLibraryExA`
- `LoadLibraryExW`
- `LdrLoadDll`
- `VirtualAlloc`
- `VirtualAllocEx`
- `NtAllocateVirtualMemory`
- `VirtualProtect`
- `VirtualProtectEx`
- `NtProtectVirtualMemory`
- `HeapCreate`
- `RtlCreateHeap`
- `CreateProcessA`
- `CreateProcessW`
- `CreateProcessInternalA`
- `CreateProcessInternalW`
- `NtCreateUserProcess`
- `NtCreateProcess`
- `NtCreateProcessEx`
- `CreateRemoteThread`
- `CreateRemoteThreadEx`
- `NtCreateThreadEx`
- `WriteProcessMemory`
- `NtWriteVirtualMemory`
- `WinExec`
- `CreateFileMappingA`
- `CreateFileMappingW`
- `CreateFileMappingNumaW`
- `NtCreateSection`
- `MapViewOfFile`
- `MapViewOfFileEx`
- `MapViewOfFileFromApp`
- `LdrGetProcedureAddressForCaller`
### Compatibility considerations
Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
Applications that are using fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation.
This mitigation is incompatible with the Arbitrary Code Guard mitigation.

89
windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
View File

@ -1,89 +0,0 @@
---
title: Get RBAC machine groups collection API
description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, RBAC, group
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: leonidzh
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/07/2018
---
# Get KB collection API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
Retrieves a collection of RBAC device groups.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machinegroups
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful - 200 OK.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machinegroups
Content-type: application/json
```
**Response**
Here is an example of the response.
Field id contains device group **id** and equal to field **rbacGroupId** in devices info.
Field **ungrouped** is true only for one group for all devices that have not been assigned to any group. This group as usual has name "UnassignedGroup".
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups",
"@odata.count":7,
"value":[
{
"id":86,
"name":"UnassignedGroup",
"description":"",
"ungrouped":true},
}
```

74
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -45,21 +45,21 @@ Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/44
Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1803 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg) With [KB4499183](https://support.microsoft.com/help/4499183)
Windows 10, version 1709 | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: Will be deprecated, please upgrade
Windows 10, version 1803 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) With [KB4499183](https://support.microsoft.com/help/4499183)
Windows 10, version 1709 | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade
Windows 10, version 1703 and earlier | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported
Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows Server 2016 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows 8 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Mac OS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Linux | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
iOS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Android | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows 8 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Linux | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development
macOS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development
Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
> [!NOTE]
> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
@ -69,9 +69,9 @@ The following OS versions are supported when using [Azure Defender for Servers](
OS version | GCC | GCC High
:---|:---|:---
Windows Server 2016 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg)
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg)
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg)
Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg)
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg)
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg)
<br>
@ -106,24 +106,24 @@ These are the known gaps as of January 2021:
Feature name | GCC | GCC High
:---|:---|:---
Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Email notifications | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Web content filtering | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Microsoft Threat Experts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Email notifications | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development
Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Microsoft Threat Experts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog

4
windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
View File

@ -1,6 +1,6 @@
---
title: Investigate Microsoft Defender Advanced Threat Protection files
description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
description: Use the investigation options to get details on files associated with alerts, behaviors, or events.
keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -20,7 +20,7 @@ ms.topic: article
ms.date: 04/24/2018
---
# Investigate a file associated with a Microsoft Defender ATP alert
# Investigate a file associated with a Microsoft Defender for Endpoint alert
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]

14
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -38,8 +38,9 @@ If you can reproduce a problem, first increase the logging level, run the system
1. Increase logging level:
```bash
mdatp log level set --level verbose
mdatp log level set --level debug
```
```Output
Log level configured successfully
```
@ -51,7 +52,9 @@ If you can reproduce a problem, first increase the logging level, run the system
```bash
sudo mdatp diagnostic create
```
This command will also print out the file path to the backup after the operation succeeds:
```Output
Diagnostic file created: <path to file>
```
@ -61,6 +64,7 @@ If you can reproduce a problem, first increase the logging level, run the system
```bash
mdatp log level set --level info
```
```Output
Log level configured successfully
```
@ -112,9 +116,9 @@ The following table lists commands for some of the most common scenarios. Run `m
|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
|Diagnostics |Change the log level |`mdatp log level set --level verbose [error|warning|info|verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create --path [directory]` |
|Health |Check the product's health |`mdatp health` |
|Protection |Scan a path |`mdatp scan custom --path [path]` |
|Protection |Scan a path |`mdatp scan custom --path [path] [--ignore-exclusions]` |
|Protection |Do a quick scan |`mdatp scan quick` |
|Protection |Do a full scan |`mdatp scan full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
@ -126,6 +130,10 @@ The following table lists commands for some of the most common scenarios. Run `m
|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` |
|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` |
|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` |
|Endpoint Detection and Response |Set early preview (unused) |`mdatp edr early-preview [enable|disable]` |
|Endpoint Detection and Response |Set group-id |`mdatp edr group-ids --group-id [group-id]` |
|Endpoint Detection and Response |Set/Remove tag, only `GROUP` supported |`mdatp edr tag set --name GROUP --value [tag]` |
|Endpoint Detection and Response |list exclusions (root) |`mdatp edr exclusion list [processes|paths|extensions|all]` |
## Microsoft Defender for Endpoint portal information

10
windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
View File

@ -23,6 +23,16 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
## 101.18.53
- EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539)
- Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`)
- Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory
- Performance improvements & bug fixes
## 101.12.99
- Performance improvements & bug fixes
## 101.04.76

33
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -44,26 +44,31 @@ With live response, analysts can do all of the following tasks:
Before you can initiate a session on a device, make sure you fulfill the following requirements:
- **Verify that you're running a supported version of Windows 10**. <br/>
Devices must be running one of the following versions of Windows 10:
- [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
- [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- **Verify that you're running a supported version of Windows**. <br/>
Devices must be running one of the following versions of Windows
- **Make sure to install appropriate security updates**.<br/>
- 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
- 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
- **Windows 10**
- [Version 1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
- [Version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)
- [Version 1809 (RS 5)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) with [with KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- [Version 1803 (RS 4)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- [Version 1709 (RS 3)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
- **Enable live response from the settings page**.<br>
- **Windows Server 2019 - Only applicable for Public preview**
- Version 1903 or (with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)) later
- Version 1809 (with [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818))
- **Enable live response from the advanced settings page**.<br>
You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
>[!NOTE]
>Only users with manage security or global admin roles can edit these settings.
- **Enable live response for servers from the advanced settings page** (recommended).<br>
>[!NOTE]
>Only users with manage security or global admin roles can edit these settings.
- **Ensure that the device has an Automation Remediation level assigned to it**.<br>
You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
@ -187,7 +192,7 @@ Here are some examples:
|Command |What it does |
|---------|---------|
|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
|`Download "C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
|`fg 1234` |Returns a download with command ID *1234* to the foreground. |

4
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -29,6 +29,10 @@ ms.topic: conceptual
> [!IMPORTANT]
> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
## 101.19.21
- Bug fixes
## 101.15.26
- Improved the reliability of the agent when running on macOS 11 Big Sur

2
windows/security/threat-protection/microsoft-defender-atp/machine.md
View File

@ -54,7 +54,7 @@ Property | Type | Description
id | String | [machine](machine.md) identity.
computerDnsName | String | [machine](machine.md) fully qualified name.
firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint.
lastSeen | DateTimeOffset | Last date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint.
lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours.
osPlatform | String | Operating system platform.
version | String | Operating system Version.
osBuild | Nullable long | Operating system build number.

2
windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
View File

@ -28,7 +28,7 @@ ms.topic: article
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices with alerts seen in the last 30 days.
The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days.
At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.

6
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -39,8 +39,9 @@ Microsoft Defender for Endpoint requires one of the following Microsoft volume l
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
- Microsoft 365 E5 Security
- Microsoft 365 A5 Security
> [!NOTE]
> Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices.
@ -57,7 +58,7 @@ Microsoft Defender for Endpoint, on Windows Server, requires one of the followin
> * Microsoft Defender for Endpoint
> * Windows E5/A5
> * Microsoft 365 E5/A5
> * Microsoft 365 E5 Security
> * Microsoft 365 E5/A5 Security
For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn more about the terms and conditions.
@ -94,6 +95,7 @@ Access to Defender for Endpoint is done through a browser, supporting the follow
- Windows Server 2016
- Windows Server, version 1803 or later
- Windows Server 2019
- Windows Virtual Desktop
Devices on your network must be running one of these editions.

9
windows/security/threat-protection/microsoft-defender-atp/network-protection.md
View File

@ -11,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.date: 04/30/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -33,7 +32,7 @@ Network protection expands the scope of [Microsoft Defender SmartScreen](../micr
Network protection is supported beginning with Windows 10, version 1709.
For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
> [!TIP]
> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@ -46,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
## Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection.
Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection.
Windows 10 version | Microsoft Defender Antivirus
-|-
@ -76,7 +75,7 @@ You can review the Windows event log to see events that are created when network
1. [Copy the XML directly](event-views.md).
2. Click **OK**.
2. Select **OK**.
3. This will create a custom view that filters to only show the following events related to network protection:
@ -88,6 +87,6 @@ You can review the Windows event log to see events that are created when network
## Related articles
- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.
- [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.

2
windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
View File

@ -1,5 +1,5 @@
---
title: Onboard devices without Internet access to Microsoft Defender ATP
title: Onboard devices without Internet access to Microsoft Defender for Endpoint
ms.reviewer:
description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor
keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma

9
windows/security/threat-protection/microsoft-defender-atp/onboarding.md
View File

@ -43,6 +43,15 @@ These are the steps you need to take to deploy Defender for Endpoint:
## Step 1: Onboard endpoints using any of the supported management tools
The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint.
Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.
<br />
<br />
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.
### Onboarding tool options

5
windows/security/threat-protection/microsoft-defender-atp/use.md
View File

@ -36,6 +36,11 @@ Use the **Threat & Vulnerability Management** dashboard to expand your visibilit
Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown.
## Microsoft Defender for Endpoint interactive guide
In this interactive guide, you'll learn how to investigate threats to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats.
> [!VIDEO https://aka.ms/MSDE-IG]
### In this section
Topic | Description

5
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -40,6 +40,11 @@ For more information preview features, see [Preview features](https://docs.micro
> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
> ```
## January 2021
- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) <br> Microsoft Defender for Endpoint now adds support for Windows Virtual Desktop.
## December 2020
- [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md) <br> Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for iOS.

3
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -48,6 +48,9 @@ The Security Compliance Toolkit consists of:
- Microsoft Edge security baseline
- Version 85
- Windows Update security baseline
- Windows 10 20H2 and below (October 2020 Update)
- Tools
- Policy Analyzer tool
- Local Group Policy Object (LGPO) tool