From 92ee7782db94206cd8742cbe64a1bb44bc55c14d Mon Sep 17 00:00:00 2001
From: brbrahm <43386070+brbrahm@users.noreply.github.com>
Date: Wed, 7 Oct 2020 10:41:50 -0700
Subject: [PATCH 01/24] WMI and GP alternative for deploying WDAC multi policy
Recommend customers use MDM bridge WMI provider
---
...e-windows-defender-application-control-policies.md | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index bf44f8cd81..99abb1a572 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -85,17 +85,18 @@ When merging, the policy type and ID of the leftmost/first policy specified is u
## Deploying multiple policies
-In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature. You cannot use the "Deploy Windows Defender Application Control" group policy setting to deploy multiple CI policies.
+In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature.
+
+Note that WMI and GP do not currently support multiple policies. Instead customers should use the [ApplicationControl CSP via the MDM Bridge WMI Provider.](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance)
### Deploying multiple policies locally
In order to deploy policies locally using the new multiple policy format you will need to:
-1. Ensure policies are copied to the right location
- - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active
-2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip
- - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy
+1. Ensure binary policy files have the correct naming format of {PolicyGUID}.cip
+ - Ensure that the name of the binary policy file is exactly the same as the PolicyID GUID in the policy
- For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}` then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+2. Copy binary policies to C:\Windows\System32\CodeIntegrity\CiPolicies\Active
3. Reboot the system
### Deploying multiple policies via ApplicationControl CSP
From 76f4587c63bcc9439470052d829c6ac7f2b0b6fa Mon Sep 17 00:00:00 2001
From: brbrahm <43386070+brbrahm@users.noreply.github.com>
Date: Wed, 7 Oct 2020 10:47:43 -0700
Subject: [PATCH 02/24] Add warning for MDM WMI Bridge
---
...multiple-windows-defender-application-control-policies.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 99abb1a572..c3b796cf52 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -87,8 +87,6 @@ When merging, the policy type and ID of the leftmost/first policy specified is u
In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature.
-Note that WMI and GP do not currently support multiple policies. Instead customers should use the [ApplicationControl CSP via the MDM Bridge WMI Provider.](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance)
-
### Deploying multiple policies locally
In order to deploy policies locally using the new multiple policy format you will need to:
@@ -102,3 +100,6 @@ In order to deploy policies locally using the new multiple policy format you wil
### Deploying multiple policies via ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Refer to [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
+
+> [!NOTE]
+> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
\ No newline at end of file
From bdce156a229f89854ec66ed766bcda89d05904e3 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Mon, 19 Oct 2020 15:27:54 -0700
Subject: [PATCH 03/24] Added mfc40.dll to recommended block list
---
.../microsoft-recommended-block-rules.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 06d6ee7d8f..4561b40720 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -158,6 +158,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
@@ -896,6 +897,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
From 0b0786fd866118df010ca7b23b25b1ab7de04736 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Tue, 20 Oct 2020 14:32:35 -0700
Subject: [PATCH 04/24] Added contributor to the acknowledgements section
---
.../microsoft-recommended-block-rules.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 4561b40720..620cfbcd0b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Lasse Trolle Borup | Langkjaer Cyber Defence |
|Jimmy Bayne | @bohops |
|Philip Tsukerman | @PhilipTsukerman |
+|Brock Mammen| |
From 198e2f8b18484ae8fe1e493e2dcf9f3b2cbd5709 Mon Sep 17 00:00:00 2001
From: Tina McNaboe <53281468+TinaMcN@users.noreply.github.com>
Date: Mon, 2 Nov 2020 17:09:26 -0800
Subject: [PATCH 05/24] Update ie-edge-faqs.md
Fixed Localization Priority metadata
---
browsers/internet-explorer/kb-support/ie-edge-faqs.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
index 0257a9db03..5c29be5126 100644
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
@@ -10,9 +10,7 @@ ms.prod: internet-explorer
ms.technology:
ms.topic: kb-support
ms.custom: CI=111020
-ms.localizationpriority: Normal
-# localization_priority: medium
-# ms.translationtype: MT
+ms.localizationpriority: medium
ms.date: 01/23/2020
---
# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
From 0e4ce05d012416e2daf174d4cb461397a1f956b8 Mon Sep 17 00:00:00 2001
From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com>
Date: Fri, 6 Nov 2020 15:18:45 +0100
Subject: [PATCH 06/24] Update enable-exploit-protection.md
Audit of mitigations is not always available via PS but is with other management options
---
.../enable-exploit-protection.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 2d44c8da7d..373ad6ff74 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -210,7 +210,7 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
-- | - | - | -
+-|-|-|-
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
@@ -225,20 +225,20 @@ Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreS
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\]
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\]
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\]
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\]
Validate handle usage | App-level only | StrictHandle | Audit not available
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\]
\[1\]: Use the following format to enable EAF modules for DLLs for a process:
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-
+\[2\]: Audit for this mitigation is not available via Powershell CmdLet.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
From 270aff93e29a8fa322638e9af089674428257785 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 6 Nov 2020 23:19:11 +0500
Subject: [PATCH 07/24] Instructional updates
As suggested, some of the information was missing and has been added.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8567
---
.../exposed-apis-create-app-nativeapp.md | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index c93c7f464b..aa97239067 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -56,12 +56,24 @@ This page explains how to create an AAD application, get an access token to Micr
-3. In the registration from, enter the following information then select **Register**.
+3. When the **Register an application** page appears, enter your application's registration information:
- 
+ - **Name** - Enter a meaningful application name that will be displayed to users of the app.
+ - **Supported account types** - Select which accounts you would like your application to support.
- - **Name:** -Your application name-
- - **Application type:** Public client
+ | Supported account types | Description |
+ |-------------------------|-------------|
+ | **Accounts in this organizational directory only** | Select this option if you're building a line-of-business (LOB) application. This option is not available if you're not registering the application in a directory.
This option maps to Azure AD only single-tenant.
This is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. |
+ | **Accounts in any organizational directory** | Select this option if you would like to target all business and educational customers.
This option maps to an Azure AD only multi-tenant.
If you registered the app as Azure AD only single-tenant, you can update it to be Azure AD multi-tenant and back to single-tenant through the **Authentication** blade. |
+ | **Accounts in any organizational directory and personal Microsoft accounts** | Select this option to target the widest set of customers.
This option maps to Azure AD multi-tenant and personal Microsoft accounts.
If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you cannot change this in the UI. Instead, you must use the application manifest editor to change the supported account types. |
+
+ - **Redirect URI (optional)** - Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application.
+ - For web applications, provide the base URL of your app. For example, `http://localhost:31544` might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application.
+ - For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as `myapp://auth`.
+
+ To see specific examples for web applications or native applications, check out our [quickstarts](/azure/active-directory/develop/#quickstarts).
+
+ When finished, select **Register**.
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
From a8b5947f4d25f55c561de1421f76f0607035b88e Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Sat, 7 Nov 2020 19:49:06 +0500
Subject: [PATCH 08/24] Update exposed-apis-create-app-nativeapp.md
minor tweak.
---
.../microsoft-defender-atp/exposed-apis-create-app-nativeapp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index aa97239067..0767f473d0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -50,7 +50,7 @@ This page explains how to create an AAD application, get an access token to Micr
## Create an app
-1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Log on to [Azure](https://portal.azure.com) with user account that has **Global Administrator** role.
2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
From 58e7b8d5bb2d1c7569c9276f39f3d7140aad3948 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 9 Nov 2020 21:04:34 +0500
Subject: [PATCH 09/24] Update
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/exposed-apis-create-app-nativeapp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 0767f473d0..f936483ccd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -50,7 +50,7 @@ This page explains how to create an AAD application, get an access token to Micr
## Create an app
-1. Log on to [Azure](https://portal.azure.com) with user account that has **Global Administrator** role.
+1. Log on to [Azure](https://portal.azure.com) with a user account that has the **Global Administrator** role.
2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
From 539c1ccd99ef48e314fb4178011a68ed470f801e Mon Sep 17 00:00:00 2001
From: Beth Levin
Date: Mon, 9 Nov 2020 17:37:05 -0800
Subject: [PATCH 10/24] updated zeroday
---
.../microsoft-defender-atp/tvm-security-recommendation.md | 2 +-
.../microsoft-defender-atp/tvm-zero-day-vulnerabilities.md | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index b4ffcd5ce4..cab17aed46 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -95,7 +95,7 @@ From the flyout, you can choose any of the following options:
- **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
-- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT administrator to pick up and address. Track the remediation activity in the Remediation page.
- [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
index 62b6465eab..f1747bc294 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
@@ -84,10 +84,14 @@ Go to the security recommendation page and select a recommendation with a zero-d
There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
-Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.”
+Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there is no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.”
+## Track zero-day remediation activities
+
+Go to the threat and vulnerability management [Remediation](tvm-remediation.md) page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar or ticket status since there is no actual action we can monitor.
+
## Patching zero-day vulnerabilities
When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.” It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.
From c1e3ce52385ea06f99f49dd03cd7817c3d7a4422 Mon Sep 17 00:00:00 2001
From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com>
Date: Tue, 10 Nov 2020 15:24:20 -0500
Subject: [PATCH 11/24] Item is missing from proxy/firewall requirements
Should be the same as this link (missing *.azure-automation.net). The *.azure-automation.net url is also called out and checked in the defender for endpoint connectivity analyzer.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#firewall-requirements
---
.../microsoft-defender-atp/configure-proxy-internet.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 6abe8ff951..48fd0bee7d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -140,7 +140,8 @@ The information below list the proxy and firewall configuration information requ
|------|---------|--------|--------|
|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
-|*.blob.core.windows.net |Port 443 |Outbound|Yes |
+|*.blob.core.windows.net |Port 443 |Outbound|Yes |
+|*.azure-automation.net |Port 443 |Outbound|Yes |
> [!NOTE]
From d291e049b1454d0121e74058450a1f368638b1fd Mon Sep 17 00:00:00 2001
From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com>
Date: Wed, 11 Nov 2020 19:13:24 +0100
Subject: [PATCH 12/24] Update
windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/enable-exploit-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 373ad6ff74..d32e84b405 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -238,7 +238,7 @@ Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-\[2\]: Audit for this mitigation is not available via Powershell CmdLet.
+\[2\]: Audit for this mitigation is not available via Powershell cmdlets.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
From e76065c56e01d3f949d7403154b2f0a51048dcb3 Mon Sep 17 00:00:00 2001
From: Beth Levin
Date: Wed, 11 Nov 2020 15:45:29 -0800
Subject: [PATCH 13/24] attention required
---
.../microsoft-defender-atp/tvm-remediation.md | 10 +++++++---
.../tvm-zero-day-vulnerabilities.md | 2 +-
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 83f4fa34f0..a61efd6251 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -44,11 +44,13 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT
2. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
-3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
+3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. If you choose the "attention required" remediation option, selecting a due date will not be available since there is no specific action.
-4. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+4. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
-5. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
+5. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+6. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
@@ -63,6 +65,8 @@ Lower your organization's exposure from vulnerabilities and increase your securi
When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
+If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor.
+
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
index f1747bc294..51fcf8acbc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
@@ -90,7 +90,7 @@ Open remediation options and choose the attention type. An "attention required"
## Track zero-day remediation activities
-Go to the threat and vulnerability management [Remediation](tvm-remediation.md) page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar or ticket status since there is no actual action we can monitor.
+Go to the threat and vulnerability management [Remediation](tvm-remediation.md) page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor. You can filter by remediation type, such as "software update" or "attention required," to see all activity items in the same category.
## Patching zero-day vulnerabilities
From 78eaf0bfa833e9f160ebc18a366886df93882aac Mon Sep 17 00:00:00 2001
From: Anna-Li <70676128+xl989@users.noreply.github.com>
Date: Fri, 13 Nov 2020 14:27:49 +0800
Subject: [PATCH 14/24] CI_125045_Update_credential-guard-manage.md
---
.../credential-guard/credential-guard-manage.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 742dd80951..1d0b90717a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -160,7 +160,7 @@ You can view System Information to check that Windows Defender Credential Guard
2. Click **System Summary**.
-3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
+3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
Here's an example:
From 57d4a81f864e20be0868457bc01c3c9220fed7e3 Mon Sep 17 00:00:00 2001
From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com>
Date: Fri, 13 Nov 2020 17:28:00 +0100
Subject: [PATCH 15/24] Update configure-server-endpoints.md
Use the Workspace ID you obtained and replacing `WorkspaceID`
updated script as it did not work :)
---
.../microsoft-defender-atp/configure-server-endpoints.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index ad4b3d8853..0af0c2d391 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -249,12 +249,14 @@ To offboard the Windows server, you can use either of the following methods:
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
```powershell
+ $ErrorActionPreference = "SilentlyContinue"
# Load agent scripting object
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace
- $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
+ $AgentCfg.RemoveCloudWorkspace("WorkspaceID")
# Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()
+
```
## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md)
From a8bfdbb3d3ad86781d5ed8b0c041c354b0bd8652 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 13 Nov 2020 09:29:31 -0800
Subject: [PATCH 16/24] Update enable-exploit-protection.md
---
.../enable-exploit-protection.md | 70 +++++++++----------
1 file changed, 35 insertions(+), 35 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index d32e84b405..60e02d7bb1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -10,7 +10,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.reviewer:
+ms.reviewer: ksarens
manager: dansimp
---
@@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
@@ -70,12 +70,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
-Enabled in **Program settings** | Enabled in **System settings** | Behavior
--|-|-
-[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+|Enabled in **Program settings** | Enabled in **System settings** | Behavior |
+|:---|:---|:---|
+|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
+|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
+|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
+|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
@@ -98,8 +98,8 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
@@ -209,29 +209,29 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
-Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
--|-|-|-
-Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
-Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
-Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
-Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
-Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
-Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
-Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
-Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
-Block remote images | App-level only | BlockRemoteImages | Audit not available
-Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
-Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
-Disable extension points | App-level only | ExtensionPoint | Audit not available
-Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
-Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\]
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\]
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\]
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\]
-Validate handle usage | App-level only | StrictHandle | Audit not available
-Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\]
+|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
+|:---|:---|:---|:---|
+|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
+|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
+|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
+|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
+|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
+|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
+|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+|Block remote images | App-level only | BlockRemoteImages | Audit not available
+|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+|Disable extension points | App-level only | ExtensionPoint | Audit not available
+|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
+|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
+|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] |
+||Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] |
+|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] |
+|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] |
+|Validate handle usage | App-level only | StrictHandle | Audit not available |
+|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
+|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] |
\[1\]: Use the following format to enable EAF modules for DLLs for a process:
@@ -243,7 +243,7 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
-## Related topics
+## See also
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
From f537f713a3ae332b1944c41305e4149343b44399 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 13 Nov 2020 09:42:13 -0800
Subject: [PATCH 17/24] Update
deploy-multiple-windows-defender-application-control-policies.md
---
...-windows-defender-application-control-policies.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index c3b796cf52..fc4dacb214 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 09/16/2020
+ms.date: 11/13/2020
---
# Use multiple Windows Defender Application Control Policies
@@ -91,15 +91,15 @@ In order to deploy multiple WDAC policies, you must either deploy them locally b
In order to deploy policies locally using the new multiple policy format you will need to:
-1. Ensure binary policy files have the correct naming format of {PolicyGUID}.cip
+1. Ensure binary policy files have the correct naming format of `{PolicyGUID}.cip`.
- Ensure that the name of the binary policy file is exactly the same as the PolicyID GUID in the policy
- - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}` then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
-2. Copy binary policies to C:\Windows\System32\CodeIntegrity\CiPolicies\Active
-3. Reboot the system
+ - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}`, then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+2. Copy binary policies to `C:\Windows\System32\CodeIntegrity\CiPolicies\Active`.
+3. Reboot the system.
### Deploying multiple policies via ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Refer to [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
> [!NOTE]
-> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
\ No newline at end of file
+> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
From c14c7f2a3616ed0435e8e3254899b97ce67568f5 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 13 Nov 2020 09:48:16 -0800
Subject: [PATCH 18/24] Update
deploy-multiple-windows-defender-application-control-policies.md
---
...ndows-defender-application-control-policies.md | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index fc4dacb214..141e2ddbf0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -27,7 +27,7 @@ ms.date: 11/13/2020
The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
1. Enforce and Audit Side-by-Side
- - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
+ - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy
2. Multiple Base Policies
- Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
- If two base policies exist on a device, an application has to be allowed by both to run
@@ -54,13 +54,13 @@ In order to allow multiple policies to exist and take effect on a single system,
New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
```
-Optionally, you can choose to make the new base policy supplementable (allow supplemental policies).
+Optionally, you can choose to make the new base policy allow for supplemental policies.
```powershell
Set-RuleOption -FilePath -Option 17
```
-For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers.
+For signed base policies to allow for supplemental policies, make sure that supplemental signers are defined. Use the **Supplemental** switch in **Add-SignerRule** to provide supplemental signers.
```powershell
Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] []
@@ -77,7 +77,8 @@ In order to create a supplemental policy, begin by creating a new policy in the
Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] []
```
-Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID.
+> [!NOTE]
+> **ResetPolicyId** reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID.
### Merging policies
@@ -89,17 +90,17 @@ In order to deploy multiple WDAC policies, you must either deploy them locally b
### Deploying multiple policies locally
-In order to deploy policies locally using the new multiple policy format you will need to:
+To deploy policies locally using the new multiple policy format, follow these steps:
1. Ensure binary policy files have the correct naming format of `{PolicyGUID}.cip`.
- Ensure that the name of the binary policy file is exactly the same as the PolicyID GUID in the policy
- - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}`, then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+ - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}`, then the correct name for the binary policy file would be `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip`.
2. Copy binary policies to `C:\Windows\System32\CodeIntegrity\CiPolicies\Active`.
3. Reboot the system.
### Deploying multiple policies via ApplicationControl CSP
-Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Refer to [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
+Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
From 8cb392bcc58a1f47baed766e2f2a23998b677bff Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 13 Nov 2020 09:49:01 -0800
Subject: [PATCH 19/24] Update
deploy-multiple-windows-defender-application-control-policies.md
---
...oy-multiple-windows-defender-application-control-policies.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 141e2ddbf0..31c3deaf6b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -48,7 +48,7 @@ The restriction of only having a single code integrity policy active on a system
## Creating WDAC policies in Multiple Policy Format
-In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format.
+In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format.
```powershell
New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
From 05f1ccbd0a84e802f19bab5bc5081568ac0d66c7 Mon Sep 17 00:00:00 2001
From: ManikaDhiman
Date: Fri, 13 Nov 2020 10:37:22 -0800
Subject: [PATCH 20/24] Updated what's new for the new SurfaceHub CSP node
---
.../mdm/change-history-for-mdm-documentation.md | 1 +
.../mdm/new-in-windows-mdm-enrollment-management.md | 1 +
2 files changed, 2 insertions(+)
diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md
index b1d4002955..556ff58e7a 100644
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@@ -21,6 +21,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
|New or updated article | Description|
|--- | ---|
| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode |
## October 2020
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index ee9ee3c5f7..15c29f831f 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|New or updated article|Description|
|-----|-----|
| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode |
| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
- Settings/AllowWindowsDefenderApplicationGuard |
## What’s new in MDM for Windows 10, version 2004
From 91b3e607050566f388d91047328a959114925e75 Mon Sep 17 00:00:00 2001
From: Tudor Dobrila
Date: Fri, 13 Nov 2020 11:00:24 -0800
Subject: [PATCH 21/24] Additional notes on Big Sur
---
.../threat-protection/microsoft-defender-atp/mac-exclusions.md | 3 +++
.../threat-protection/microsoft-defender-atp/mac-whatsnew.md | 3 +++
.../microsoft-defender-atp/microsoft-defender-atp-mac.md | 3 +++
3 files changed, 9 insertions(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index 04b95ce93b..2e17fbc6fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -58,6 +58,9 @@ Wildcard | Description | Example | Matches | Does not match
\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
? | Matches any single character | `file?.log` | `file1.log`
`file2.log` | `file123.log`
+>[!NOTE]
+>The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.
+
## How to configure the list of exclusions
### From the management console
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 719aa6fb32..b40f3ea88c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -23,6 +23,9 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+> [!IMPORTANT]
+> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+
> [!IMPORTANT]
> Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 0121869dec..44dd5225e9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -65,6 +65,9 @@ There are several methods and deployment tools that you can use to install and c
The three most recent major releases of macOS are supported.
+> [!IMPORTANT]
+> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+
> [!IMPORTANT]
> Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app.
From 03cb3db29569f61c3f44d14ceedd7bc0f20feb07 Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Fri, 13 Nov 2020 11:26:13 -0800
Subject: [PATCH 22/24] pencil edit
---
.../microsoft-defender-atp/exposed-apis-create-app-nativeapp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index f038690f96..fb00021426 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -73,7 +73,7 @@ This page explains how to create an AAD application, get an access token to Micr
To see specific examples for web applications or native applications, check out our [quickstarts](/azure/active-directory/develop/#quickstarts).
- When finished, select **Register**.
+ When finished, select **Register**.
4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission:
From 96acfc092935e1cfcbe87c5456dae2cba0a2285d Mon Sep 17 00:00:00 2001
From: Beth Levin
Date: Fri, 13 Nov 2020 12:24:00 -0800
Subject: [PATCH 23/24] software page update
---
.../microsoft-defender-atp/tvm-software-inventory.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index c8bd26da4e..5193e38674 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -57,7 +57,7 @@ Select the software that you want to investigate. A flyout panel will open with
### Software that isn't supported
-Software that isn't currently supported by threat & vulnerability management is still present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.
+Software that isn't currently supported by threat & vulnerability management may still be present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.
@@ -66,6 +66,7 @@ The following indicates that a software is not supported:
- Weaknesses field shows "Not available"
- Exposed devices field shows a dash
- Informational text added in side panel and in software page
+- The software page won't have the security recommendations, discovered vulnerabilities, or event timeline sections
Currently, products without a CPE are not shown in the software inventory page, only in the device level software inventory.
From 7bbcd7f6ffe532e13b72a76c8e7c8b5e7b748882 Mon Sep 17 00:00:00 2001
From: Beth Levin
Date: Fri, 13 Nov 2020 12:25:29 -0800
Subject: [PATCH 24/24] remove still
---
.../microsoft-defender-atp/tvm-software-inventory.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 5193e38674..d18b376b49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -57,7 +57,7 @@ Select the software that you want to investigate. A flyout panel will open with
### Software that isn't supported
-Software that isn't currently supported by threat & vulnerability management may still be present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.
+Software that isn't currently supported by threat & vulnerability management may be present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.
