deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into av-relnotes

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-10-29 14:38:36 -07:00
commit 720e6efdf9
79 changed files with 636 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
store-for-business/add-unsigned-app-to-code-integrity-policy.md
View File

@ -18,10 +18,10 @@ ms.date: 10/17/2017
# Add unsigned app to code integrity policy
> [!IMPORTANT]
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
>
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
>
@ -32,7 +32,7 @@ ms.date: 10/17/2017
> - Download root cert
> - Download history of your signing operations
>
> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**

6
store-for-business/device-guard-signing-portal.md
View File

@ -18,10 +18,10 @@ ms.date: 10/17/2017
# Device Guard signing
> [!IMPORTANT]
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
>
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
>
@ -32,7 +32,7 @@ ms.date: 10/17/2017
> - Download root cert
> - Download history of your signing operations
>
> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**

6
store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
View File

@ -18,10 +18,10 @@ ms.date: 10/17/2017
# Sign code integrity policy with Device Guard signing
> [!IMPORTANT]
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
>
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
>
@ -32,7 +32,7 @@ ms.date: 10/17/2017
> - Download root cert
> - Download history of your signing operations
>
> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**

2
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -26,7 +26,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|New or updated article|Description|
|-----|-----|
| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:<br>- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)<br>- [WindowsSandbox/AllowAudioInput](policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)<br>- [WindowsSandbox/AllowClipboardRedirection](policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)<br>- [WindowsSandbox/AllowNetworking](policy-csp-windowssandbox.md#windowssandbox-allownetworking)<br>- [WindowsSandbox/AllowPrinterRedirection](policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)<br>- [WindowsSandbox/AllowVGPU](policy-csp-windowssandbox.md#windowssandbox-allowvgpu)<br>- [WindowsSandbox/AllowVideoInput](policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) |
| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:<br>- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) |
| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:<br>- Settings/AllowWindowsDefenderApplicationGuard |
## Whats new in MDM for Windows 10, version 2004

60
windows/client-management/mdm/policy-csp-windowssandbox.md
View File

@ -48,6 +48,8 @@ ms.date: 10/14/2020
<!--Policy-->
<a href="" id="windowssandbox-allowaudioinput"></a>**WindowsSandbox/AllowAudioInput**
Available in the latest Windows 10 insider preview build.
<!--SupportedSKUs-->
<table>
<tr>
@ -60,7 +62,7 @@ ms.date: 10/14/2020
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
@ -68,11 +70,11 @@ ms.date: 10/14/2020
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
@ -134,6 +136,8 @@ The following are the supported values:
<!--Policy-->
<a href="" id="windowssandbox-allowclipboardredirection"></a>**WindowsSandbox/AllowClipboardRedirection**
Available in the latest Windows 10 insider preview build.
<!--SupportedSKUs-->
<table>
<tr>
@ -146,7 +150,7 @@ The following are the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
@ -154,11 +158,11 @@ The following are the supported values:
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
@ -217,6 +221,8 @@ The following are the supported values:
<!--Policy-->
<a href="" id="windowssandbox-allownetworking"></a>**WindowsSandbox/AllowNetworking**
Available in the latest Windows 10 insider preview build.
<!--SupportedSKUs-->
<table>
<tr>
@ -229,7 +235,7 @@ The following are the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
@ -237,11 +243,11 @@ The following are the supported values:
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
@ -298,6 +304,8 @@ The following are the supported values:
<!--Policy-->
<a href="" id="windowssandbox-allowprinterredirection"></a>**WindowsSandbox/AllowPrinterRedirection**
Available in the latest Windows 10 insider preview build.
<!--SupportedSKUs-->
<table>
<tr>
@ -310,7 +318,7 @@ The following are the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
@ -318,11 +326,11 @@ The following are the supported values:
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
@ -380,6 +388,8 @@ The following are the supported values:
<!--Policy-->
<a href="" id="windowssandbox-allowvgpu"></a>**WindowsSandbox/AllowVGPU**
Available in the latest Windows 10 insider preview build.
<!--SupportedSKUs-->
<table>
<tr>
@ -392,7 +402,7 @@ The following are the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
@ -400,11 +410,11 @@ The following are the supported values:
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
@ -465,6 +475,8 @@ The following are the supported values:
<!--Policy-->
<a href="" id="windowssandbox-allowvideoinput"></a>**WindowsSandbox/AllowVideoInput**
Available in the latest Windows 10 insider preview build.
<!--SupportedSKUs-->
<table>
<tr>
@ -477,7 +489,7 @@ The following are the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
@ -485,11 +497,11 @@ The following are the supported values:
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
@ -546,16 +558,4 @@ The following are the supported values:
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 20H2.
<!--/Policies-->

26
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -13,7 +13,7 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/21/2020
ms.date: 10/13/2020
---
# Configure Windows diagnostic data in your organization
@ -24,7 +24,7 @@ ms.date: 07/21/2020
- Windows 10 Education
- Windows Server 2016 and newer
This article applies to Windows 10, Windows Server, Surface Hub, and Hololens diagnostic data only. It describes the types of diagnostic data thats sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data thats sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
>[!IMPORTANT]
>Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
@ -50,7 +50,9 @@ For example, in an earlier version of Windows 10 there was a version of a video
Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating systems features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers experiences. These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect peoples expectations when they turn on their device for the first time.
- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
## How Microsoft handles diagnostic data
@ -60,8 +62,11 @@ Use the following sections to learn more about how Microsoft handles diagnostic
### Data collection
Depending on the diagnostic data settings on the device, diagnostic data can be collected via the following methods:
- Small payloads of structured information referred to as diagnostic data events, managed by the Connected User Experiences and Telemetry component.
- Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component.
- Crash reporting and crash dumps, managed by [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
Later in this document we provide further details about how to control whats collected and what data can be included in these different types of diagnostic data.
@ -101,7 +106,7 @@ There are four diagnostic data collection settings. Each setting is described in
Heres a summary of the types of data that is included with each setting:
| | **Diagnostic data off (Security)** | **Required (Basic)** | **Enhanced** |**Optional (Full)**|
| | Diagnostic data off (Security) | Required (Basic) | Enhanced | Optional (Full) |
| --- | --- | --- | --- | --- |
| **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.|
| **Crash Metadata** | N/A | Yes | Yes | Yes |
@ -155,9 +160,13 @@ Required diagnostic data includes:
>Were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. making changes to the enhanced diagnostic data level. For more info about this change, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
Enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
- Operating system events that help to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
- Operating system app events resulting from Microsoft apps and management tools that were downloaded from the Microsoft Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
- Device-specific events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
- All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
### Optional diagnostic data
@ -165,9 +174,13 @@ Enhanced diagnostic data includes data about the websites you browse, how Window
Optional diagnostic data, previously labeled as **Full**, includes more detailed information about your device and its settings, capabilities, and device health. Optional diagnostic data also includes data about the websites you browse, device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. When you choose to send optional diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
- Additional data about the device, connectivity, and configuration, beyond that collected under required diagnostic data.
- Status and logging information about the health of operating system and other system components beyond what is collected under required diagnostic data.
- App activity, such as which programs are launched on a device, how long they run, and how quickly they respond to input.
- Browser activity, including browsing history and search terms, in Microsoft browsers (Microsoft Edge or Internet Explorer).
- Enhanced error reporting, including the memory state of the device when a system or app crash occurs (which may unintentionally contain user content, such as parts of a file you were using when the problem occurred). Crash data is never used for Tailored experiences.
>[!Note]
@ -199,6 +212,7 @@ Use the appropriate value in the table below when you configure the management p
You can use Group Policy to set your organizations diagnostic data setting:
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
> [!NOTE]
@ -213,3 +227,9 @@ Use [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/win
## Limit optional diagnostic data for Desktop Analytics
For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enable-data-sharing).
## Change privacy settings on a single server
You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](https://docs.microsoft.com/azure-stack/hci/manage/change-privacy-settings).
To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data).

2
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -45,7 +45,7 @@ The statement "PIN is stronger than Password" is not directed at the strength of
The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
## Can I use a convenience PIN with Azure AD?
It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.
It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It is only supported for on-premises Domain Joined users and local account users.
## Can I use an external camera when my laptop is closed or docked?
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.

2
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -95,7 +95,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
- Reboot system into Windows 10.
>[!NOTE]
> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES and the **Hyper-V** Windows feature is enabled. Enabling both is needed to enable **Kernel DMA Protection** even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
> **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.

5
windows/security/threat-protection/TOC.md
View File

@ -67,6 +67,7 @@
##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)
##### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
##### [Vulnerable devices report](microsoft-defender-atp/tvm-vulnerable-devices-report.md)
##### [Hunt for exposed devices](microsoft-defender-atp/tvm-hunt-exposed-devices.md)
@ -274,6 +275,7 @@
#### [Configure]()
##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
#### [Privacy](microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md)
### [Microsoft Defender Advanced Threat Protection for Linux]()
@ -456,6 +458,7 @@
##### [Onboard devices using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md)
##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md)
##### [Onboard Windows 10 multi-session devices in Windows Virtual Desktop](microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md)
#### [Onboard Windows servers](microsoft-defender-atp/configure-server-endpoints.md)
#### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md)
@ -1340,3 +1343,5 @@
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
## [Change history for Threat protection](change-history-for-threat-protection.md)

2
windows/security/threat-protection/intelligence/macro-malware.md
View File

@ -43,7 +43,7 @@ We've seen macro malware download threats from the following families:
* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)
* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).

2
windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
View File

@ -25,7 +25,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.

2
windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in.

2
windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.

2
windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ ms.date: 08/17/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.

8
windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
View File

@ -23,16 +23,16 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can manage and configure Microsoft Defender Antivirus with the following tools:
- Microsoft Intune
- Microsoft Endpoint Configuration Manager
- Microsoft Intune (now part of Microsoft Endpoint Manager)
- Microsoft Endpoint Configuration Manager (now part of Microsoft Endpoint Manager)
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
- The mpcmdrun.exe utility
- The Microsoft Malware Protection Command Line Utility (referred to as the *mpcmdrun.exe* utility
The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Use Microsoft Intune to configure scanning options

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ ms.date: 10/21/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> [!IMPORTANT]
> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md).

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can configure Microsoft Defender Antivirus with a number of tools, including:

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus uses several methods to provide threat protection:

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ ms.custom: nextgen
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -157,7 +157,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- `%systemroot%\Sysvol\*\Nntfrs_cmp*\`
- `%systemroot%\Sysvol\*\Ntfrs_cmp*\`
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`

2
windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.

20
windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
View File

@ -16,24 +16,24 @@ ms.reviewer:
manager: dansimp
---
# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
## In this section
Topic | Description
---|---
[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
| Article | Description |
|:---|:---|
|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning |
|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning |
|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder |
|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans |
|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app |
|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app |

2
windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.

2
windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection.

2
windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.

2
windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
> [!NOTE]

2
windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.

2
windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
View File

@ -24,7 +24,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
View File

@ -24,7 +24,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus lets you determine when it should look for and download updates.

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ ms.date: 10/26/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.

2
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -23,7 +23,7 @@ ms.date: 09/28/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Overview

2
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).

2
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.

2
windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.

2
windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).

2
windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.

2
windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.

2
windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.

42
windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
View File

@ -11,8 +11,8 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/30/2020
ms.reviewer:
ms.date: 10/26/2020
ms.reviewer: pauhijbr
manager: dansimp
---
@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
@ -32,7 +32,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-microsoft
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10).
## To configure the Group Policy settings described in this article
@ -74,12 +74,12 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli
### Use Group Policy to schedule scans
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Specify the scan type to use for a scheduled scan | Quick scan
Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
| Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Specify the scan type to use for a scheduled scan | Quick scan |
|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
| Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
| Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
### Use PowerShell cmdlets to schedule scans
@ -119,9 +119,9 @@ You can set the scheduled scan to only occur when the endpoint is turned on but
### Use Group Policy to schedule scans
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
|Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled |
### Use PowerShell cmdlets
@ -152,10 +152,10 @@ Some threats may require a full scan to complete their removal and remediation.
### Use Group Policy to schedule remediation-required scans
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
| Location | Setting | Description | Default setting (if not configured) |
|---|---|---|---|
|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never |
|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
### Use PowerShell cmdlets
@ -190,10 +190,10 @@ You can enable a daily quick scan that can be run in addition to your other sche
### Use Group Policy to schedule daily scans
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
| Location | Setting | Description | Default setting (if not configured)|
|:---|:---|:---|:---|
|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
### Use PowerShell cmdlets to schedule daily scans

61
windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Specify cloud-delivered protection level in Microsoft Defender Antivirus
description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus.
title: Specify the cloud-delivered protection level for Microsoft Defender Antivirus
description: Set your level of cloud-delivered protection for Microsoft Defender Antivirus.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -10,7 +10,7 @@ ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 08/12/2020
ms.date: 10/26/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@ -25,56 +25,63 @@ ms.custom: nextgen
- Microsoft Defender Antivirus
You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.
>[!NOTE]
>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
> [!TIP]
> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates.
> Microsoft Intune and Microsoft Endpoint Configuration Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
## Use Intune to specify the level of cloud-delivered protection
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
5. On the **File Blocking Level** switch, select one of the following:
## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection
1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
2. Choose **Endpoint security** > **Antivirus**.
3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
1. **High**: Applies a strong level of detection.
2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance).
2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
3. **Zero tolerance**: Blocks all unknown executables.
8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
6. Choose **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
> [!TIP]
> Need some help? See the following resources:
> - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
> - [Add endpoint protection settings in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
## Use Configuration Manager to specify the level of cloud-delivered protection
See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
## Use Group Policy to specify the level of cloud-delivered protection
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx).
2. Right-click the Group Policy Object you want to configure, and then click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
3. In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**.
4. Click **Administrative templates**.
4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**.
5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- **Moderate blocking level** provides moderate only for high confidence detections
- **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
- **High + blocking level** applies additional protection measures (might impact client performance and increase your chance of false positives).
- **Zero tolerance blocking level** blocks all unknown executables.
> [!WARNING]
> While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
7. Click **OK**.
6. Click **OK**.
7. Deploy your updated Group Policy Object. See [Group Policy Management Console](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx)
> [!TIP]
> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics).
## Related articles

2
windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.

2
windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> [!IMPORTANT]
> On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.

2
windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints.

22
windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 10/26/2018
ms.reviewer:
manager: dansimp
---
@ -23,15 +23,25 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Microsoft Defender Antivirus scans.
If you were using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Microsoft Defender Antivirus.
1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**.
See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
2. Under **Manage**, choose **Antivirus**.
For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select your Microsoft Defender Antivirus policy.
4. Under **Manage**, choose **Properties**.
5. Next to **Configuration settings**, choose **Edit**.
6. Expand the **Scan** section, and review or edit your scanning settings.
7. Choose **Review + save**
Need help? See [Manage endpoint security in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security).
## Related articles

2
windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).

2
windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.

2
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -17,7 +17,7 @@ ms.custom: asr
# Configure Microsoft Defender Application Guard policy settings
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.

86
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 09/14/2020
ms.date: 10/29/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -23,10 +23,9 @@ Answering frequently asked questions about Microsoft Defender Application Guard
## Frequently Asked Questions
### Can I enable Application Guard on machines equipped with 4 GB RAM?
We recommend 8 GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
@ -34,7 +33,7 @@ We recommend 8GB RAM for optimal performance but you may use the following regis
### Can employees download documents from the Application Guard Edge session onto host devices?
In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.
In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
@ -44,20 +43,16 @@ Depending on your organization's settings, employees can copy and paste images (
### Why don't employees see their Favorites in the Application Guard Edge session?
To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device.
To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
### Are extensions supported in the Application Guard?
### Why arent employees able to see their Extensions in the Application Guard Edge session?
Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container).
Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.*
Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect.
### Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
@ -76,7 +71,7 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903
### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and well work with you to enable the feature.
This feature is currently experimental only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and well work with you to enable the feature.
### What is the WDAGUtilityAccount local account?
@ -92,12 +87,75 @@ When using Windows Pro or Windows Enterprise, you will have access to using Appl
### Is there a size limit to the domain lists that I need to configure?
Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit.
Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit.
### Why does my encryption driver break Microsoft Defender Application Guard?
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
### Why do the Network Isolation policies in Group Policy and CSP look different?
There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
1. Program path: %SystemRoot%\System32\svchost.exe
2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
3. Protocol UDP
4. Port 67
Second rule (DHCP Client)
This is the same as the first rule, but scoped to local port 68.
In the Microsoft Defender Firewall user interface go through the following steps:
1. Right click on inbound rules, create a new rule.
2. Choose **custom rule**.
3. Program path: **%SystemRoot%\System32\svchost.exe**.
4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
5. Any IP addresses.
6. Allow the connection.
7. All profiles.
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
### Why can I not launch Application Guard when Exploit Guard is enabled?
There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
### How can I have ICS in enabled state yet still use Application Guard?
This is a two-step process.
Step 1:
Enable Internet Connection sharing by changing the Group Policy setting *Prohibit use of Internet Connection Sharing on your DNS domain network*, which is part of the MS Security baseline from Enabled to Disabled.
Step 2:
1. Disable IpNat.sys from ICS load
System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
2. Configure ICS (SharedAccess) to enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
3. Disabling IPNAT (Optional)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
4. Reboot.

2
windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
View File

@ -18,7 +18,7 @@ ms.custom: asr
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.

131
windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md Normal file
View File

@ -0,0 +1,131 @@
---
title: "Onboard Windows 10 multi-session devices in Windows Virtual Desktop"
description: "Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop"
keywords: Windows Virtual Desktop, WVD, microsoft defender, endpoint, onboard
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.topic: article
author: dansimp
ms.author: dansimp
ms.custom: nextgen
ms.date: 09/10/2020
ms.reviewer:
manager: dansimp
---
# Onboard Windows 10 multi-session devices in Windows Virtual Desktop
6 minutes to read
Applies to:
- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
> [!IMPORTANT]
> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
> [!WARNING]
> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported.
Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
## Before you begin
Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts.
> [!NOTE]
> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either:
> - Single entry for each virtual desktop
> - Multiple entries for each virtual desktop
Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
> [!NOTE]
> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It isNOTrecommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account.
### Scenarios
There are several ways to onboard a WVD host machine:
- Run the script in the golden image (or from a shared location) during startup.
- Use a management tool to run the script.
#### *Scenario 1: Using local group policy*
This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process.
Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1).
Follow the instructions for a single entry for each device.
#### *Scenario 2: Using domain group policy*
This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way.
**Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center**
1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
- In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
- Select Windows 10 as the operating system.
- In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
- Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**.
**Use Group Policy management console to run the script when the virtual machine starts**
1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
1. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
1. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
1. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field.
Enter the following:
> Action = "Start a program" <br>
> Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe <br>
> Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"
Click **OK** and close any open GPMC windows.
#### *Scenario 3: Onboarding using management tools*
If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager.
For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
> [!WARNING]
> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
#### Tagging your machines when building your golden image
As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
[Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value).
#### Other recommended configuration settings
When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings).
In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection:
**Exclude Files:**
> %ProgramFiles%\FSLogix\Apps\frxdrv.sys <br>
> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys <br>
> %ProgramFiles%\FSLogix\Apps\frxccd.sys <br>
> %TEMP%\*.VHD <br>
> %TEMP%\*.VHDX <br>
> %Windir%\TEMP\*.VHD <br>
> %Windir%\TEMP\*.VHDX <br>
> \\storageaccount.file.core.windows.net\share\*\*.VHD <br>
> \\storageaccount.file.core.windows.net\share\*\*.VHDX <br>
**Exclude Processes:**
> %ProgramFiles%\FSLogix\Apps\frxccd.exe <br>
> %ProgramFiles%\FSLogix\Apps\frxccds.exe <br>
> %ProgramFiles%\FSLogix\Apps\frxsvc.exe <br>
#### Licensing requirements
Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
View File

@ -45,7 +45,9 @@ For information on other tables in the advanced hunting schema, see [the advance
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
| `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device |
| `Context` | string | Additional contextual information about the configuration or policy |
| `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied |
## Related topics

5
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -109,11 +109,12 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
|**Item**|**Description**|
|**Spreadsheet of domains list**|**Description**|
|:-----|:-----|
|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-docs-pr/blob/prereq-urls/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.

2
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -43,7 +43,7 @@ Microsoft Defender ATP currently supports the following specific SIEM solution t
- IBM QRadar
- Micro Focus ArcSight
Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
To use either of these supported SIEM tools you'll need to:

5
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -52,8 +52,13 @@ You must have **Manage security settings** permissions to:
- Reset password
- Create simulations
If you enabled role-based access control (RBAC) and created at least a one machine group, users must have access to All machine groups.
For more information, see [Create and manage roles](user-roles.md).
Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-age.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-exploit-availability.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-os.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-severity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-version.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
View File

@ -27,8 +27,6 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration.
>[!NOTE]

96
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Microsoft Defender ATP for iOS - Privacy information
ms.reviewer:
description: Describes privacy information for Microsoft Defender ATP for iOS
keywords: microsoft, defender, atp, ios, policy, overview
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Privacy information - Microsoft Defender ATP for iOS
> [!NOTE]
> Microsoft Defender ATP for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.**
Microsoft Defender ATP for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Microsoft Defender ATP. The information is collected to help keep Microsoft Defender ATP for iOS secure, up-to-date, performing as expected, and to support the service.
For more details about data storage, see [Microsoft Defender ATP data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy).
## Required data
Required data consists of data that is necessary to make Microsoft Defender ATP for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
Here is a list of the types of data being collected:
### Web page or Network information
- Connection information only when a malicious connection or web page is detected.
- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected.
### Device and account information
- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following:
- Wi-Fi adapter MAC address
- Randomly generated globally unique identifier (GUID)
- Tenant, Device and User information
- Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory.
- Azure tenant ID - GUID that identifies your organization within Azure Active Directory.
- Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted.
- User Principal Name Email ID of the user.
### Product and service usage data
The following information is collected only for Microsoft Defender ATP app installed on the device.
- App package info, including name, version, and app upgrade status.
- Actions performed in the app.
- Crash report logs generated by iOS.
- Memory usage data.
## Optional Data
Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
Optional diagnostic data includes:
- App, CPU, and network usage for Microsoft Defender ATP.
- Features configured by the admin for Microsoft Defender ATP.
Feedback Data is collected through in-app feedback provided by the user.
- The users email address, if they choose to provide it.
- Feedback type (smile, frown, idea) and any feedback comments submitted by the user.
For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement).

5
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -97,10 +97,9 @@ After you've enabled the service, you may need to configure your network or fire
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
|**Item**|**Description**|
|**Spreadsheet of domains list**|**Description**|
|:-----|:-----|
|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)

4
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
View File

@ -90,9 +90,9 @@ The following downloadable spreadsheet lists the services and their associated U
|**Item**|**Description**|
|**Spreadsheet of domains list**|**Description**|
|:-----|:-----|
|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)

5
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -68,11 +68,6 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
>[!NOTE]
>Partially available from Windows 10, version 1809.
- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md) <BR> Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices.
>[!NOTE]
>Available from Windows 10, version 1809 or later.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) <BR> Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.

43
windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
View File

@ -1,7 +1,7 @@
---
title: Set up Microsoft Defender ATP deployment
description:
keywords:
description: Learn how to setup the deployment for Microsoft Defender ATP
keywords: deploy, setup, licensing validation, tenant configuration, network configuration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -46,7 +46,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
<img src="images/onboard.png" alt="Onboard" title="Onboard" />
<img src="images/onboard.png" alt="Onboard image" title="Onboard" />
<br/>Phase 3: Onboard </a><br>
</td>
@ -54,7 +54,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
</tr>
</table>
You are currently in the set up phase.
You are currently in the set-up phase.
In this deployment scenario, you'll be guided through the steps on:
- Licensing validation
@ -69,13 +69,13 @@ In this deployment scenario, you'll be guided through the steps on:
Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
1. To view your licenses, go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)
1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
On the screen you will see all the provisioned licenses and their current **Status**.
On the screen, you will see all the provisioned licenses and their current **Status**.
![Image of billing licenses](images/atp-billing-subscriptions.png)
@ -84,9 +84,9 @@ Checking for the license state and whether it got properly provisioned, can be d
To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
1. From the **Partner portal**, click on the **Administer services > Office 365**.
1. From the **Partner portal**, select **Administer services > Office 365**.
2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
2. Clicking on the **Partner portal** link will open the **Admin on behalf** option and will give you access to the customer admin center.
![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png)
@ -94,7 +94,7 @@ To gain access into which licenses are provisioned to your company, and to check
## Tenant Configuration
When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device.
When accessing Microsoft Defender Security Center for the first time, a wizard that will guide you through some initial steps. At the end of the setup wizard, there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device.
1. From a web browser, navigate to <https://securitycenter.windows.com>.
@ -109,9 +109,9 @@ When accessing [Microsoft Defender Security Center](https://securitycenter.windo
4. Set up preferences.
**Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation.
**Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU, or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation.
**Data retention** - The default is 6 months.
**Data retention** - The default is six months.
**Enable preview features** - The default is on, can be changed later.
@ -137,11 +137,11 @@ WinHTTP configuration setting is independent of the Windows Internet (WinINet)
internet browsing proxy settings and can only discover a proxy server by using
the following discovery methods:
**Auto-discovery methods:**
**Autodiscovery methods:**
- Transparent proxy
- Web Proxy Auto-discovery Protocol (WPAD)
- Web Proxy Autodiscovery Protocol (WPAD)
If a Transparent proxy or WPAD has been implemented in the network topology,
there is no need for special configuration settings. For more information on
@ -155,7 +155,7 @@ Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defe
**Manual static proxy configuration:**
- Registry based configuration
- Registry-based configuration
- WinHTTP configured using netsh command <br> Suitable only for desktops in a
stable topology (for example: a desktop in a corporate network behind the
@ -175,13 +175,13 @@ under:
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
![Image of Group Policy setting](images/atp-gpo-proxy1.png)
![Image of Group Policy configuration](images/atp-gpo-proxy1.png)
4. Select **Enabled**.
5. Select **Disable Authenticated Proxy usage**.
6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
![Image of Group Policy setting](images/atp-gpo-proxy2.png)
![Image of Group Policy configuration setting](images/atp-gpo-proxy2.png)
7. Select **Enabled**.
8. Enter the **Proxy Server Name**.
@ -205,7 +205,7 @@ Use netsh to configure a system-wide static proxy.
> - This will affect all applications including Windows services which use WinHTTP with default proxy.</br>
> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
1. Open an elevated command-line:
1. Open an elevated command line:
1. Go to **Start** and type **cmd**.
@ -223,7 +223,7 @@ Use netsh to configure a system-wide static proxy.
### Proxy Configuration for down-level devices
Down-Level devices include Windows 7 SP1 and Windows 8.1 workstations as well
as Windows Server 2008 R2, Windows Sever 2012, Windows Server 2012 R2, and
as Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and
versions of Windows Server 2016 prior to Windows Server CB 1803. These operating
systems will have the proxy configured as part of the Microsoft Management Agent
to handle communication from the endpoint to Azure. Refer to the
@ -238,15 +238,16 @@ needed if the device is on Windows 10, version 1803 or later.
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs.
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. Ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
|**Item**|**Description**|
|**Spreadsheet of domains list**|**Description**|
|:-----|:-----|
|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
### Microsoft Defender ATP service backend IP range
If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
If you network devices don't support the URLs listed in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:

2
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -29,8 +29,6 @@ ms.topic: conceptual
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.

1
windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
View File

@ -22,7 +22,6 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)

84
windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Vulnerable devices report - threat and vulnerability management
description: A report showing vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
keywords: mdatp-tvm vulnerable devices, mdatp, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: article
---
# Vulnerable devices report - threat and vulnerability management
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> [!IMPORTANT]
> **Vulnerable devices report is currently in public preview**<br>
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
> For more information, see [Microsoft Defender ATP preview features](preview.md).
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
Access the report in the Microsoft Defender Security Center by going to **Reports > Vulnerable devices**
There are two columns:
- Trends (over time). Can show the past 30 days, 3 months, 6 months, or a custom date range.
- Today (current information)
**Filter**: You can filter the data by vulnerability severity levels, exploit availability, vulnerability age, operating system platform, Windows 10 version, or device group.
**Drill down**: If there is an insight you want to explore further, select the relevant bar chart to view a filtered list of devices in the Device inventory page. From there, you can export the list.
## Severity level graphs
Each device is counted only once according to the most severe vulnerability found on that device.
![One graph of current device vulnerability severity levels, and one graph showing levels over time.](images/tvm-report-severity.png)
## Exploit availability graphs
Each device is counted only once based on the highest level of known exploit.
![One graph of current device exploit availability, and one graph showing availability over time.](images/tvm-report-exploit-availability.png)
## Vulnerability age graphs
Each device is counted only once under the oldest vulnerability publication date. Older vulnerabilities have a higher chance of being exploited.
![One graph of current device vulnerability age, and one graph showing age over time.](images/tvm-report-age.png)
## Vulnerable devices by operating system platform graphs
The number of devices on each operating system that are exposed due to software vulnerabilities.
![One graph of current vulnerable devices by operating system platform, and one graph showing vulnerable devices by OS platforms over time.](images/tvm-report-os.png)
## Vulnerable devices by Windows 10 version graphs
The number of devices on each Windows 10 version that are exposed due to vulnerable applications or OS.
![One graph of current vulnerable devices by Windows 10 version, and one graph showing vulnerable devices by Windows 10 version over time.](images/tvm-report-version.png)
## Related topics
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Security recommendations](tvm-security-recommendation.md)

5
windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
View File

@ -112,12 +112,12 @@ View related weaknesses information in the device page.
1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The **Devices list** page opens.
2. In the **Devices list** page, select the device name that you want to investigate.
![Screenshot of device list with selected device to investigate](images/tvm_machinetoinvestigate.png)
![Device list with selected device to investigate.](images/tvm_machinetoinvestigate.png)
3. The device page will open with details and response options for the device you want to investigate.
4. Select **Discovered vulnerabilities**.
![Screenshot of the device page with details and response options](images/tvm-discovered-vulnerabilities.png)
![Device page with details and response options.](images/tvm-discovered-vulnerabilities.png)
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
@ -143,4 +143,5 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Software inventory](tvm-software-inventory.md)
- [Dashboard insights](tvm-dashboard-insights.md)
- [View and organize the Microsoft Defender ATP Devices list](machines-view-overview.md)