diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 095e765c2a..bd9b057880 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,6 +6,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md", +"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md", +"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md", +"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/intelligence/transparency-report.md", "redirect_url": "/windows/security/threat-protection/intelligence/av-tests", "redirect_document_id": true @@ -21,6 +36,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows", +"redirect_document_id": true +}, +{ "source_path": "windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md", "redirect_url": "/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows", "redirect_document_id": true diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md index 4f12302469..5f85feab3f 100644 --- a/browsers/edge/group-policies/extensions-management-gp.md +++ b/browsers/edge/group-policies/extensions-management-gp.md @@ -5,7 +5,7 @@ services: keywords: Don’t add or edit keywords without consulting your SEO champ. author: shortpatti ms.author: pashort -ms.date: 07/25/2018 +ms.date: 09/05/2018 ms.topic: article ms.prod: edge ms.mktglfcycl: explore diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index cd31220caa..896d0512a7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration **To set the default browser as Internet Explorer 11** -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

+1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). ![set default associations group policy setting](images/setdefaultbrowsergp.png) diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 05e12d5cce..a22acbdaf9 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -14,8 +14,8 @@ ms.date: 07/27/2018 Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. ->Latest insider version: 10.0.17720.1000 + ## How do I install the Insider builds? @@ -89,7 +89,7 @@ When you’re done with setup, go to **Settings -> Update & Security -> Windows ## Note for language support - You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. -- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English). +- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English). ## Note for developers diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md index 3de34452cf..f21afb8e8a 100644 --- a/devices/hololens/hololens-install-apps.md +++ b/devices/hololens/hololens-install-apps.md @@ -79,13 +79,15 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft. >[!TIP] >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate). -4. In the Windows Device Portal, click **Apps**. +4. In the Windows Device Portal, click **Views** and select **Apps**. ![App Manager](images/apps.png) -5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, click **Add dependency**. +5. Click **Add** to open the **Deploy or Install Application dialog**. -6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens. +6. Select an **app package** from a folder on your computer or network. If the app package requires additional software or framework packages, click **I want to specify framework packages**. + +7. Click **Next** to deploy the app package and added dependencies to the connected HoloLens. diff --git a/devices/hololens/images/apps.png b/devices/hololens/images/apps.png index 5cb3b7ec8f..4e00aa96fc 100644 Binary files a/devices/hololens/images/apps.png and b/devices/hololens/images/apps.png differ diff --git a/devices/hololens/images/windows-device-portal-home-page.png b/devices/hololens/images/windows-device-portal-home-page.png index 9604161bcd..55e4b0eaad 100644 Binary files a/devices/hololens/images/windows-device-portal-home-page.png and b/devices/hololens/images/windows-device-portal-home-page.png differ diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 899e37b475..f037f97ecb 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -34,7 +34,7 @@ PowerShell scripts to help set up and manage your Microsoft Surface Hub. To successfully execute these PowerShell scripts, you will need to install the following prerequisites: - [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://www.microsoft.com/download/details.aspx?id=41950) -- [Microsoft Azure Active Directory Module for Windows PowerShell (64-bit version)](https://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185) +- [Microsoft Azure Active Directory Module for Windows PowerShell (64-bit version)](https://www.powershellgallery.com/packages/MSOnline/1.1.183.17) - [Windows PowerShell Module for Skype for Business Online](https://www.microsoft.com/download/details.aspx?id=39366) ## PowerShell scripts for Surface Hub administrators diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index 90479cad66..fde0bb2f8a 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 04/12/2018 +ms.date: 08/30/2018 ms.localizationpriority: medium --- @@ -145,17 +145,17 @@ To enable Skype for Business online, your tenant users must have Exchange mailbo | --- | --- | --- | --- | | Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL | | Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL | -| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with PSTN Conferencing

**Note** PSTN consumption billing is optional | E1 or E3 with PSTN Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL | -| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Cloud PBX and a PSTN Voice Calling plan | E1 or E3 with Cloud PBX and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL | +| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with Audio Conferencing

**Note** PSTN consumption billing is optional | E1 or E3 with Audio Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL | +| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Phone System and a PSTN Voice Calling plan | E1 or E3 with Phone System and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL | The following table lists the Office 365 plans and Skype for Business options. -| O365 Plan | Skype for Business | Cloud PBX | PSTN Conferencing | PSTN Calling | +| O365 Plan | Skype for Business | Phone System | Audio Conferencing | Calling Plans | | --- | --- | --- | --- | --- | | O365 Business Essentials | Included | | | | | O365 Business Premium | Included | | | | -| E1 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) | -| E3 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) | +| E1 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) | +| E3 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) | | E5 | Included | Included | Included | Add-on | 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment. @@ -190,7 +190,7 @@ The following table lists the Office 365 plans and Skype for Business options. - Click **Licenses**. - - In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. + - In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub. - Click **Save**. @@ -291,7 +291,8 @@ Use this procedure if you use Exchange online. - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. - >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. + >[!IMPORTANT] + >Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. ![Image showing password dialog box.](images/hybriddeployment-02a.png) diff --git a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md index 5dec2b8fb8..4f285ff5cf 100644 --- a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md +++ b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md @@ -50,7 +50,7 @@ The hardware requirements are applicable to all versions. Operating System Edition Service Pack -System Architecture +Achitectural SKU @@ -74,31 +74,21 @@ The hardware requirements are applicable to all versions.

Windows 8

-

Professional or Enterprise Edition

+

Pro or Enterprise Edition

x86 and x64

-  - -**Note**   The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first. - - **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360). + - **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266). -- **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266). - -  - -**Note**   For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed. - **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700). -  - ### Software Requirements for Versions that Precede App-V 4.6 SP2 @@ -113,7 +103,7 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add - + @@ -121,33 +111,26 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add - + - + - +
Operating System Edition Service PackSystem ArchitectureAchitectural SKU

Windows XP

Professional Edition

SP2 or SP3

x86

x86 and x64

Windows Vista

Business, Enterprise, or Ultimate Edition

No service pack, SP1, or SP2

x86

x86 and x64

Windows 7¹

Professional, Enterprise, or Ultimate Edition

No service pack or SP1

x86

x86 and x64
- -  - ¹Supported for App-V 4.5 SP1 and SP2, App-V 4.6 and 4.6 SP1 only -**Note**   -The Application Virtualization (App-V) 4.6 Desktop Client supports 32-bit and 64-bit versions of these operating systems. +The Application Virtualization (App-V) 4.6 Desktop Client supports x86 and x64 SKUs of these operating systems. -  - -**Note**   The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first. - **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360). @@ -156,25 +139,16 @@ The following software prerequisites are installed automatically if you are usin - **Microsoft Application Error Reporting**—The installation program for this software is included in the **Support\\Watson** folder in the self-extracting archive file. -  - -**Note**   For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed. - **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700). -  - ## Application Virtualization Client for Remote Desktop Services - Following are the recommended hardware and software requirements for the Application Virtualization Client for Remote Desktop Services. The requirements are listed first for appv461\_3, followed by the requirements for versions that preceded App-V 4.6 SP2. -**Note**   The Application Virtualization (App-V) Client for Remote Desktop Services requires no additional processor or RAM resources beyond the requirements of the host operating system. -  - ### Hardware Requirements The hardware requirements are applicable to all versions. @@ -199,7 +173,7 @@ The hardware requirements are applicable to all versions. Operating System Edition Service Pack -System Architecture +Achitectural SKU @@ -207,13 +181,13 @@ The hardware requirements are applicable to all versions.

Windows Server 2003 R2

Standard Edition, Enterprise Edition, or Datacenter Edition

SP2

-

x86

+

x86 and x64

Windows Server 2008

Standard, Enterprise, or Datacenter Edition

SP2

-

x86

+

x86 and x64

Windows Server 2008 R2

@@ -225,14 +199,11 @@ The hardware requirements are applicable to all versions.

Windows Server 2012

Standard, Enterprise, or Datacenter Edition

-

x86 or x64

+

x64

-  - -**Note**   The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first. - **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360). @@ -241,15 +212,10 @@ The following software prerequisites are installed automatically if you are usin - **Microsoft Application Error Reporting**—The installation program for this software is included in the **Support\\Watson** folder in the self-extracting archive file. -  - -**Note**   For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed. - **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700). -  - ### Software Requirements for Versions that Precede App-V 4.6 SP2 @@ -264,7 +230,7 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add - + @@ -272,19 +238,19 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add - + - + - + @@ -295,31 +261,11 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add
Operating System Edition Service PackSystem ArchitectureAchitectural SKU

Windows Server 2003

Standard Edition, Enterprise Edition, or Datacenter Edition

SP1 or SP2

x86

x86 and x64

Windows Server 2003 R2

Standard Edition, Enterprise Edition, or Datacenter Edition

No service pack or SP2

x86

x86 and x64

Windows Server 2008

Standard, Enterprise, or Datacenter Edition

SP1 or SP2

x86

x86 and x64

Windows Server 2008 R2
-  - -**Note**   -The Application Virtualization (App-V) 4.6 Client for Remote Desktop Services supports 32-bit and 64-bit versions of these operating systems. - -  +The Application Virtualization (App-V) 4.6 Client for Remote Desktop Services supports x86 and x64 SKUs of these operating systems. ## Related topics - - -[Application Virtualization Sequencer Hardware and Software Requirements](application-virtualization-sequencer-hardware-and-software-requirements.md) - -[Application Virtualization System Requirements](application-virtualization-system-requirements.md) - -[How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md) - -[How to Manually Install the Application Virtualization Client](how-to-manually-install-the-application-virtualization-client.md) - -[How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md) - -  - -  - - - - - +- [Application Virtualization Sequencer Hardware and Software Requirements](application-virtualization-sequencer-hardware-and-software-requirements.md) +- [Application Virtualization System Requirements](application-virtualization-system-requirements.md) +- [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md) +- [How to Manually Install the Application Virtualization Client](how-to-manually-install-the-application-virtualization-client.md) +- [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md) diff --git a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md index 01ed9e88ed..9186e17f03 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md +++ b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md @@ -86,7 +86,7 @@ The following list outlines the supported operating systems for running the App-

Windows 8

-

Professional or Enterprise Edition

+

Pro or Enterprise Edition

x86 and x64

diff --git a/mdop/appv-v5/about-app-v-51-dynamic-configuration.md b/mdop/appv-v5/about-app-v-51-dynamic-configuration.md index b88cdd9529..45009f6404 100644 --- a/mdop/appv-v5/about-app-v-51-dynamic-configuration.md +++ b/mdop/appv-v5/about-app-v-51-dynamic-configuration.md @@ -1,877 +1,905 @@ --- -title: About App-V 5.1 Dynamic Configuration -description: About App-V 5.1 Dynamic Configuration +title: About App-V 5.1 dynamic configuration +description: You can use the dynamic configuration to customize an App-V 5.1 package for a user. Use the following information to create or edit an existing dynamic configuration file. author: jamiejdt -ms.assetid: 6cc1027c-576f-483b-ad0d-bb700594a92c +ms.assetid: 35bc9908-d502-4a9c-873f-8ee17b6d9d74 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 06/16/2016 +ms.date: 08/28/2018 +ms.author: pashort --- +# About App-V 5.1 dynamic configuration +With dynamic configuration, you can edit the dynamic configuration file to customize how an App-V 5.1 package runs for a user or group. Package customization removes the need to resequence packages using the desired settings. It also provides a way to keep package content and custom settings independent. -# About App-V 5.1 Dynamic Configuration +Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). +When a package gets created, the sequencer generates default deployment and user configuration .xml files automatically using the package manifest data. Therefore, these generated files reflect the default settings configured during sequencing. If you apply these files to a package in the form generated by the sequencer, the packages have the same default settings that came from their manifest. -You can use the dynamic configuration to customize an App-V 5.1 package for a user. Use the following information to create or edit an existing dynamic configuration file. +Use these generated files to make changes, if necessary, which doesn’t directly affect the package. If you want to add, delete or update the configuration files, make your changes about the default values in the manifest information. -When you edit the dynamic configuration file it customizes how an App-V 5.1 package will run for a user or group. This helps to provide a more convenient method for package customization by removing the need to re-sequence packages using the desired settings, and provides a way to keep package content and custom settings independent. +>[!TIP] +>The order in which the files read are:

The first entry represents what gets read last. Therefore, its content takes precedence, and all packages inherently contain and provide default settings from the package manifest.

  1. If customizing the DeploymentConfig.xml file and apply the customized settings, the default settings in the package manifest get overridden.
  2. If customizing the UserConfig.xml and apply the customized settings, the default settings for both the deployment configuration and the package manifest get overridden.
-## Advanced: Dynamic Configuration +## User configuration file contents (UserConfig.xml) +The UserConfig file provides configuration settings that get applied for a specific user when deploying the package to a computer running the App-V 5.1 client. These settings don’t affect any other users on the client. +Use the UserConfig file to specify or modify custom settings for a package: -Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files: +- Extensions integrated into the native system per user: shortcuts, file-type associations, URL protocols, AppPaths, software clients and COM +- Virtual subsystems: application objects, environment variables, registry modifications, services and fonts +- Scripts (user context only) +- Managing authority (for controlling co-existence of package with App-V 4.6) -- User Configuration file +### Header -- Deployment configuration file +The header of a dynamic user configuration file looks like: -The previous .xml files specify package settings and allow for packages to be customized without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. Therefore, these automatically generated configuration files simply reflect the default settings that the package innately as from how things were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed. - -**Note**   -The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements. - -  - -### Dynamic Configuration file contents - -All of the additions, deletions, and updates in the configuration files need to be made in relation to the default values specified by the package's manifest information. Review the following table: - - --- - - - - - - - - - - - -

User Configuration .xml file

Deployment Configuration .xml file

Package Manifest

- -  - -The previous table represents how the files will be read. The first entry represents what will be read last, therefore, its content takes precedence. Therefore, all packages inherently contain and provide default settings from the package manifest. If a deployment configuration .xml file with customized settings is applied, it will override the package manifest defaults. If a user configuration .xml file with customized settings is applied prior to that, it will override both the deployment configuration and the package manifest defaults. - -The following list displays more information about the two file types: - -- **User Configuration File (UserConfig)** – Allows you to specify or modify custom settings for a package. These settings will be applied for a specific user when the package is deployed to a computer running the App-V 5.1 client. - -- **Deployment Configuration File (DeploymentConfig)** – Allows you to specify or modify the default settings for a package. These settings will be applied for all users when a package is deployed to a computer running the App-V 5.1 client. - -To customize the settings for a package for a specific set of users on a computer or to make changes that will be applied to local user locations such as HKCU, the UserConfig file should be used. To modify the default settings of a package for all users on a machine or to make changes that will be applied to global locations such as HKEY\_LOCAL\_MACHINE and the all users folder, the DeploymentConfig file should be used. - -The UserConfig file provides configuration settings that can be applied to a single user without affecting any other users on a client: - -- Extensions that will be integrated into the native system per user:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM - -- Virtual Subsystems:- Application Objects, Environment variables, Registry modifications, Services and Fonts - -- Scripts (User context only) - -- Managing Authority (for controlling co-existence of package with App-V 4.6) - -The DeploymentConfig file provides configuration settings in two sections, one relative to the machine context and one relative to the user context providing the same capabilities listed in the UserConfig list above: - -- All UserConfig settings above - -- Extensions that can only be applied globally for all users - -- Virtual Subsystems that can be configured for global machine locations e.g. registry - -- Product Source URL - -- Scripts (Machine context only) - -- Controls to Terminate Child Processes - -### File structure - -The structure of the App-V 5.1 Dynamic Configuration file is explained in the following section. - -### Dynamic User Configuration file - -**Header** - the header of a dynamic user configuration file is as follows: - -<?xml version="1.0" encoding="utf-8"?><UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration"> - -The **PackageId** is the same value as exists in the Manifest file. - -**Body** - the body of the Dynamic User Configuration file can include all the app extension points that are defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body: - -1. **Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored. - - <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration"> - - <Applications> - - <!-- No new application can be defined in policy. AppV Client will ignore any application ID that is not also in the Manifest file --> - - <Application Id="{a56fa627-c35f-4a01-9e79-7d36aed8225a}" Enabled="false"> - - </Application> - - </Applications> - - … - - </UserConfiguration> - -2. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the <Subsystems>: - - <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration"> - - <Subsystems> - - .. - - </Subsystems> - - .. - - </UserConfiguration> - - Each subsystem can be enabled/disabled using the “**Enabled**” attribute. Below are the various subsystems and usage samples. - - **Extensions:** - - Some subsystems (Extension Subsystems) control Extensions. Those subsystems are:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM - - Extension Subsystems can be enabled and disabled independently of the content.  Thus if Shortcuts are enabled, The client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an <Extensions> node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file. - - Example using the shortcuts subsystem: - - 1. If the user defined this in either the dynamic or deployment config file: - -                              **<Shortcuts  Enabled="true">** - -                                          **<Extensions>** - -                                           ... - -                                          **</Extensions>** - -                              **</Shortcuts>** - -                   Content in the manifest will be ignored.    - - 2. If the user defined only the following: - -                             **<Shortcuts  Enabled="true"/>** - -                   Then the content in the Manifest will be integrated during publishing. - - 3. If the user defines the following - -                            **<Shortcuts  Enabled="true">** - -                                          **<Extensions/>** - -                              **</Shortcuts>** - - Then all the shortcuts within the manifest will still be ignored. There will be no shortcuts integrated. - - The supported Extension Subsystems are: - - **Shortcuts:** This controls shortcuts that will be integrated into the local system. Below is a sample with 2 shortcuts: - - <Subsystems> - - <Shortcuts Enabled="true"> - -   <Extensions> - -     <Extension Category="AppV.Shortcut"> - -       <Shortcut> - -         <File>\[{Common Programs}\]\\Microsoft Contoso\\Microsoft ContosoApp Filler 2010.lnk</File> - -         <Target>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</Target> - -         <Icon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\inficon.exe</Icon> - -         <Arguments /> - -         <WorkingDirectory /> - -         <AppUserModelId>ContosoApp.Filler.3</AppUserModelId> - -         <Description>Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft ContosoApp.</Description> - -         <Hotkey>0</Hotkey> - -         <ShowCommand>1</ShowCommand> - -         <ApplicationId>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</ApplicationId> - -       </Shortcut> - -   </Extension> - -   <Extension Category="AppV.Shortcut"> - -     <Shortcut> - -       <File>\[{AppData}\]\\Microsoft\\Contoso\\Recent\\Templates.LNK</File> - -       <Target>\[{AppData}\]\\Microsoft\\Templates</Target> - -       <Icon /> - -       <Arguments /> - -       <WorkingDirectory /> - -       <AppUserModelId /> - -       <Description /> - -       <Hotkey>0</Hotkey> - -       <ShowCommand>1</ShowCommand> - -       <!-- Note the ApplicationId is optional --> - -     </Shortcut> - -   </Extension> - -  </Extensions> - - </Shortcuts> - - **File-Type Associations:** Associates File-types with programs to open by default as well as setup the context menu. (MIME types can also be setup using this susbsystem). Sample File-type Association is below: - - <FileTypeAssociations Enabled="true"> - - <Extensions> - -   <Extension Category="AppV.FileTypeAssociation"> - -     <FileTypeAssociation> - -       <FileExtension MimeAssociation="true"> - -       <Name>.docm</Name> - -       <ProgId>contosowordpad.DocumentMacroEnabled.12</ProgId> - -       <PerceivedType>document</PerceivedType> - -       <ContentType>application/vnd.ms-contosowordpad.document.macroEnabled.12</ContentType> - -       <OpenWithList> - -         <ApplicationName>wincontosowordpad.exe</ApplicationName> - -       </OpenWithList> - -      <OpenWithProgIds> - -         <ProgId>contosowordpad.8</ProgId> - -       </OpenWithProgIds> - -       <ShellNew> - -         <Command /> - -         <DataBinary /> - -         <DataText /> - -         <FileName /> - -         <NullFile>true</NullFile> - -         <ItemName /> - -         <IconPath /> - -         <MenuText /> - -         <Handler /> - -       </ShellNew> - -     </FileExtension> - -     <ProgId> - -        <Name>contosowordpad.DocumentMacroEnabled.12</Name> - -         <DefaultIcon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\contosowordpadicon.exe,15</DefaultIcon> - -         <Description>Blah Blah Blah</Description> - -         <FriendlyTypeName>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,9182</FriendlyTypeName> - -         <InfoTip>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,1424</InfoTip> - -         <EditFlags>0</EditFlags> - -         <ShellCommands> - -           <DefaultCommand>Open</DefaultCommand> - -           <ShellCommand> - -              <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId> - -              <Name>Edit</Name> - -              <FriendlyName>&Edit</FriendlyName> - -              <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /vu "%1"</CommandLine> - -           </ShellCommand> - -           </ShellCommand> - -             <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId> - -             <Name>Open</Name> - -             <FriendlyName>&Open</FriendlyName> - -             <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /n "%1"</CommandLine> - -             <DropTargetClassId /> - -             <DdeExec> - -               <Application>mscontosowordpad</Application> - -               <Topic>ShellSystem</Topic> - -               <IfExec>\[SHELLNOOP\]</IfExec> - -               <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand> - -             </DdeExec> - -           </ShellCommand> - -         </ShellCommands> - -       </ProgId> - -      </FileTypeAssociation> - -    </Extension> - -   </Extensions> - -   </FileTypeAssociations> - - **URL Protocols**: This controls the URL Protocols that are integrated into the local registry of the client machine e.g. “mailto:”. - - <URLProtocols Enabled="true"> - - <Extensions> - - <Extension Category="AppV.URLProtocol"> - - <URLProtocol> - -   <Name>mailto</Name> - -   <ApplicationURLProtocol> - -   <DefaultIcon>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE,-9403</DefaultIcon> - -   <EditFlags>2</EditFlags> - -   <Description /> - -   <AppUserModelId /> - -   <FriendlyTypeName /> - -   <InfoTip /> - - <SourceFilter /> - -   <ShellFolder /> - -   <WebNavigableCLSID /> - -   <ExplorerFlags>2</ExplorerFlags> - -   <CLSID /> - -   <ShellCommands> - -   <DefaultCommand>open</DefaultCommand> - -   <ShellCommand> - -   <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId> - -   <Name>open</Name> - -   <CommandLine>\[{ProgramFilesX86}\\Microsoft Contoso\\Contoso\\contosomail.EXE" -c OEP.Note /m "%1"</CommandLine> - -   <DropTargetClassId /> - -   <FriendlyName /> - -   <Extended>0</Extended> - -   <LegacyDisable>0</LegacyDisable> - -   <SuppressionPolicy>2</SuppressionPolicy> - -    <DdeExec> - -   <NoActivateHandler /> - -   <Application>contosomail</Application> - -   <Topic>ShellSystem</Topic> - -   <IfExec>\[SHELLNOOP\]</IfExec> - -   <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand> - -   </DdeExec> - -   </ShellCommand> - -   </ShellCommands> - -   </ApplicationURLProtocol> - -   </URLProtocol> - -   </Extension> - -   </Extension> - -   </URLProtocols> - - **Software Clients**: Allows the app to register as an Email client, news reader, media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client. - - <SoftwareClients Enabled="true"> - -   <ClientConfiguration EmailEnabled="false" /> - - </SoftwareClients> - - AppPaths:- If an application for example contoso.exe is registered with an apppath name of “myapp”, it allows you type “myapp” under the run menu and it will open contoso.exe. - - <AppPaths Enabled="true"> - - <Extensions> - - <Extension Category="AppV.AppPath"> - - <AppPath> - -   <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId> - -   <Name>contosomail.exe</Name> - -   <ApplicationPath>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationPath> - -   <PATHEnvironmentVariablePrefix /> - -   <CanAcceptUrl>false</CanAcceptUrl> - -   <SaveUrl /> - - </AppPath> - - </Extension> - - </Extensions> - - </AppPaths> - - **COM**: Allows an Application register Local COM servers. Mode can be Integration, Isolated or Off. When Isol. - - <COM Mode="Isolated"/> - - **Other Settings**: - - In addition to Extensions, other subsystems can be enabled/disabled and edited: - - **Virtual Kernel Objects**: - - <Objects Enabled="false" /> - - **Virtual Registry**: Used if you want to set a registry in the Virtual Registry within HKCU - - <Registry Enabled="true"> - - <Include> - - <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\ABC"> - - <Value Type="REG\_SZ" Name="Bar" Data="NewValue" /> - -  </Key> - -   <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\EmptyKey" /> - -  </Include> - - <Delete> - -   </Registry> - - **Virtual File System** - -       <FileSystem Enabled="true" /> - - **Virtual Fonts** - -       <Fonts Enabled="false" /> - - **Virtual Environment Variables** - - <EnvironmentVariables Enabled="true"> - - <Include> - -        <Variable Name="UserPath" Value="%path%;%UserProfile%" /> - -        <Variable Name="UserLib" Value="%UserProfile%\\ABC" /> - -        </Include> - -       <Delete> - -        <Variable Name="lib" /> - -         </Delete> - -         </EnvironmentVariables> - - **Virtual services** - -       <Services Enabled="false" /> - -3. **UserScripts** – Scripts can be used to setup or alter the virtual environment as well as execute scripts at time of deployment or removal, before an application executes, or they can be used to “clean up” the environment after the application terminates. Please reference a sample User configuration file that is output by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used. - -4. **ManagingAuthority** – Can be used when 2 versions of your package are co-existing on the same machine, one deployed to App-V 4.6 and the other deployed on App-V 5.0. To Allow App-V vNext to take over App-V 4.6 extension points for the named package enter the following in the UserConfig file (where PackageName is the Package GUID in App-V 4.6: - - <ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName="032630c0-b8e2-417c-acef-76fc5297fe81" /> - -### Dynamic Deployment Configuration file - -**Header** - The header of a Deployment Configuration file is as follows: - -<?xml version="1.0" encoding="utf-8"?><DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration"> +```xml + +``` The **PackageId** is the same value as exists in the manifest file. -**Body** - The body of the deployment configuration file includes two sections: -- User Configuration section –allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest. +### Body -- Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS. +The body of the dynamic user configuration file can include all the app extension points defined in the manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body: -<DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration"> +1. **[Applications](#applications)** +2. **[Subsystems](#subsystems)** +3. **[UserScripts](#userscripts)** +4. **[ManagingAuthority](#managingauthority)** -<UserConfiguration> +#### Applications -  .. +All app-extensions contained in the manifest file within a package have an Application ID assigned, which you find in the manifest file. The Application ID lets you enable or disable all extensions for a given application within a package. The Application ID must exist in the manifest file, or it gets ignored. -</UserConfiguration> +```XML + -<MachineConfiguration> + + + + + + + + + .. -</MachineConfiguration> + + +``` + +#### Subsystems + +AppExtensions and other subsystems arranged as subnodes. + +```XML + + + .. -</MachineConfiguration> + -</DeploymentConfiguration> +.. -**User Configuration** - use the previous **Dynamic User Configuration file** section for information on settings that are provided in the user configuration section of the Deployment Configuration file. + -Machine Configuration - the Machine configuration section of the Deployment Configuration File is used to configure information that can be set only for an entire machine, not for a specific user on the computer. For example, HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. There are four subsections allowed in under this element +``` -1. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under <Subsystems>: +You can enable or disable each subsystem using the **Enabled** attribute. - <MachineConfiguration> +**Extensions** -   <Subsystems> +Some subsystems (extension subsystems) control extensions. Those subsystems are Shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM. -   .. +Extension subsystems can be enabled and disabled independently of the content. For example, if you enable Shortcuts, the client uses the Shortcuts contained within the manifest by default. Each extension subsystem can contain an \ node. If this child element is present, the client ignores the content in the manifest file for that subsystem and only use the content in the configuration file. -   </Subsystems> +_**Examples:**_ - .. +- If you define this in either the user or deployment config file, the content in the manifest gets ignored. - </MachineConfiguration> + ```XML - The following section displays the various subsystems and usage samples. + - **Extensions**: + - Some subsystems (Extension Subsystems) control Extensions which can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The same rules for controls and settings that apply to the Extensions in the User Configuration also apply to those in the MachineConfiguration section. + ... - **Application Capabilities**: Used by default programs in windows operating system Interface. Allows an application to register itself as capable of opening certain file extensions, as a contender for the start menu internet browser slot, as capable of opening certain windows MIME types.  This extension also makes the virtual application visible in the Set Default Programs UI.: + - <ApplicationCapabilities Enabled="true"> + -   <Extensions> + ``` +- If you define only the following, the content in the manifest gets integrated during publishing. + + ```XML -    <Extension Category="AppV.ApplicationCapabilities"> + -     <ApplicationCapabilities> + ``` -      <ApplicationId>\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe</ApplicationId> +- If you define the following, all Shortcuts within the manifest still get ignored. In other words, no Shortcuts get integrated. -      <Reference> + ```XML -       <Name>LitView Browser</Name> + -       <Path>SOFTWARE\\LitView\\Browser\\Capabilities</Path> + -      </Reference> + -    <CapabilityGroup> + ``` -     <Capabilities> +_**Supported extension subsystems:**_ -      <Name>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12345</Name> +**Shortcuts** extension subsystem controls what shortcuts get integrated into the local system. -      <Description>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12346</Description> +```XML -      <Hidden>0</Hidden> + -      <EMailSoftwareClient>Lit View E-Mail Client</EMailSoftwareClient> + -      <FileAssociationList> + -       <FileAssociation Extension=".htm" ProgID="LitViewHTML" /> + -       <FileAssociation Extension=".html" ProgID="LitViewHTML" /> + -       <FileAssociation Extension=".shtml" ProgID="LitViewHTML" /> + [{Common Programs}]\Microsoft Contoso\Microsoft ContosoApp Filler 2010.lnk -      </FileAssociationList> + [{PackageRoot}]\Contoso\ContosoApp.EXE -      <MIMEAssociationList> + + [{Windows}]\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe -       <MIMEAssociation Type="audio/mp3" ProgID="LitViewHTML" /> + -       <MIMEAssociation Type="audio/mpeg" ProgID="LitViewHTML" /> + -      </MIMEAssociationList> + ContosoApp.Filler.3 -     <URLAssociationList> + Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft ContosoApp. -       <URLAssociation Scheme="http" ProgID="LitViewHTML.URL.http" /> + 0 -      </URLAssociationList> + 1 + + [{PackageRoot}]\Contoso\ContosoApp.EXE -      </Capabilities> + -   </CapabilityGroup> + -    </ApplicationCapabilities> + -   </Extension> + + + [{AppData}]\Microsoft\Contoso\Recent\Templates.LNK - </Extensions> + [{AppData}]\Microsoft\Templates - </ApplicationCapabilities> + - **Other Settings**: + - In addition to Extensions, other subsystems can be edited: + - **Machine Wide Virtual Registry**: Used when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine + - <Registry> + - <Include> + 0 -   <Key Path="\\REGISTRY\\Machine\\Software\\ABC"> + 1 -     <Value Type="REG\_SZ" Name="Bar" Data="Baz" /> + -    </Key> + -   <Key Path="\\REGISTRY\\Machine\\Software\\EmptyKey" /> + -  </Include> + - <Delete> + - </Registry> +``` - **Machine Wide Virtual Kernel Objects** +**File-Type Associates** extension subsystem associates file types with programs to open by default as well as set up the context menu. - <Objects> +>[!TIP] +>You can set up the subsystem with MIME types. - <NotIsolate> +```XML -    <Object Name="testObject" /> + -  </NotIsolate> + - </Objects> + -2. **ProductSourceURLOptOut**: Indicates whether the URL for the package can be modified globally through PackageSourceRoot (to support branch office scenarios). Default is false and the setting change takes effect on the next launch.   + - <MachineConfiguration> + -   ..  + .docm -   <ProductSourceURLOptOut Enabled="true" /> + contosowordpad.DocumentMacroEnabled.12 -   .. + document + + application/vnd.ms-contosowordpad.document.macroEnabled.12 - </MachineConfiguration> + -3. **MachineScripts** – Package can be configured to execute scripts at time of deployment, publishing or removal. Please reference a sample deployment configuration file that is generated by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used + wincontosowordpad.exe -4. **TerminateChildProcess**:- An application executable can be specified, whose child processes will be terminated when the application exe process is terminated. + - <MachineConfiguration> + -   ..    + contosowordpad.8 -   <TerminateChildProcesses> + -     <Application Path="\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE" /> + -     <Application Path="\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe" /> + -     <Application Path="\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE" /> + -   </TerminateChildProcesses> + -   .. + - </MachineConfiguration> + true -### Scripts + + + + + + + + + + + + + + + contosowordpad.DocumentMacroEnabled.12 + + [{Windows}]\Installer\{90140000-0011-0000-0000-000000FF1CE}\contosowordpadicon.exe,15 + + Blah Blah Blah + + [{FOLDERID_ProgramFilesX86}]\Microsoft Contoso 14\res.dll,9182 + + [{FOLDERID_ProgramFilesX86}]\Microsoft Contoso 14\res.dll,1424 + + 0 + + + + Open + + + + {e56fa627-c35f-4a01-9e79-7d36aed8225a} + + Edit + + &Edit + + "[{PackageRoot}]\Contoso\WINcontosowordpad.EXE" /vu "%1" + + + + + + {e56fa627-c35f-4a01-9e79-7d36aed8225a} + + Open + + &Open + + "[{PackageRoot}]\Contoso\WINcontosowordpad.EXE" /n "%1" + + + + + + mscontosowordpad + + ShellSystem + + [SHELLNOOP] + + [SetForeground][ShellNewDatabase"%1"] + + + + + + + + + + + + + + + + + +``` + +**URL Protocols** extension subsystem controls the URL protocols integrated into the local registry of the client machine, for example, _mailto:_. + +```XML + + + + + + + + + + mailto + + + + [{ProgramFilesX86}]\MicrosoftContoso\Contoso\contosomail.EXE,-9403 + + 2 + + + + + + + + + + + + + + + + 2 + + + + + + open + + + + [{ProgramFilesX86}]\Microsoft Contoso\Contoso\contosomail.EXE + + open + + [{ProgramFilesX86}\Microsoft Contoso\Contoso\contosomail.EXE" -c OEP.Note /m "%1" + + + + + + 0 + + 0 + + 2 + + + + + + contosomail + + ShellSystem + + [SHELLNOOP] + + [SetForeground][ShellNewDatabase "%1"] + + + + + + + + + + + + + + + + + +``` + +**Software Clients** extension subsystem allows the app to register as an email client, news reader, media player and makes the app visible in the Set program access and Computer defaults UI. In most cases, you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client. + +```XML + + + + + + + +``` + +**AppPaths** extension subsystem opens apps registered with an application path. For example, if contoso.exe has an apppath name of _myapp_, users can type _myapp_ from the run menu, opening contoso.exe. + +```XML + + + + + + + + + + [{ProgramFilesX86}]\Microsoft Contoso\Contoso\contosomail.EXE + + contosomail.exe + + [{ProgramFilesX86}]\Microsoft Contoso\Contoso\contosomail.EXE + + + + false + + + + + + + + + + + +``` + +**COM** extensions subsystem allows an application registered to local COM servers. The mode can be: + +- Integration +- Isolated +- Off + +```XML + + + +``` + +**Virtual Kernel Objects** + +```XML + + + +``` + +**Virtual Registry** sets a registry in the virtual registry within HKCU. + +```XML + + + + + + + + + + + + + + + + + + + +``` + +**Virtual File System** + +```XML + + + +``` + +**Virtual Fonts** + +```XML + + + +``` + +**Virtual Environment Variables** + +```XML + + + + + + + + + + + + + + + + + + + +``` + +**Virtual services** + +```XML + + + +``` + +#### UserScripts + +Use UserScripts to set up or alter the virtual environment. You can also execute scripts at the time of deployment or to clean up the environment after the application terminates. To see a sample script, refer to the user configuration file generated by the sequencer. +The Scripts section below provides more information on the various triggers that can be used. + +#### ManagingAuthority + +Use ManagingAuthority when two versions of your package co-exist on the same machine, one deployed to App-V 4.6 and another deployed on App-V 5.0. To allow App-V vNext to take over App-V 4.6 extension points for the named package enter the following in the UserConfig file (where PackageName is the Package GUID in App-V 4.6: + +```XML + + + +``` + +## Deployment configuration file (DeploymentConfig.xml) + +The DeploymentConfig file provides configuration settings for machine context and user context, providing the same capabilities listed in the UserConfig file. The setting get applied when deploying the package to a computer running the App-V 5.1 client. + +Use the DeploymentConfig file to specify or modify custom settings for a package: + +- All UserConfig settings +- Extensions that can only be applied globally for all users +- Virtual subsystems for global machine locations, for example, registry +- Product source URL +- Scripts (machine context only) +- Controls to terminate child processes + +### Header + +The header of a dynamic deployment configuration file looks like: + +```XML + +``` + +The **PackageId** is the same value as exists in the manifest file. + +### Body + +The body of the dynamic deployment configuration file includes two sections: + +- **UserConfiguration:** allows the same content as the user configuration file described in the previous section. When publishing the package to a user, any appextensions configuration settings in this section override corresponding settings in the manifest within the package, unless you provide a user configuration file. If also providing a UserConfig file, it gets used instead of the User settings in the deployment configuration file. If publishing the package globally, then only the contents of the deployment configuration file get used in combination with the manifest. For more details, see [User configuration file contents (UserConfig.xml)](#user-configuration-file-contents-userconfigxml). + +- **MachineConfiguration:** contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY_LOCAL_MACHINE registry keys in the VFS. + +```XML + + + + + +... + + + + + +... + + + +... + + + + + +``` + +### UserConfiguration + +Refer to [User configuration file contents (UserConfig.xml)](#user-configuration-file-contents-userconfigxml) for information on the settings provided for this section. + +### MachineConfiguration + +Use the MachineConfiguration section to configure information for an entire machine; not for a specific user on the computer. For example, HKEY_LOCAL_MACHINE registry keys in the virtual registry. There are four subsections allowed in under this element: + +1. **[Subsystems](#subsystems-1)** +2. **[ProductSourceURLOptOut](#productsourceurloptout)** +3. **[MachineScripts](#machinescripts)** +4. **[TerminateChildProcess](#terminatechildprocess)** + +#### Subsystems + +AppExtensions and other subsystems arranged as subnodes. + +```XML + + + + + + … + + + +… + + + +``` + +You can enable or disable each subsystem using the **Enabled** attribute. + +**Extensions** + +Some subsystems (extension subsystems) control extensions. The subsystem is Application Capabilities that default programs use. For this type of extension, the package must be published globally for integration into the local system. The same rules for controls and settings that apply to the Extensions in the User Configuration also, apply to those in the MachineConfiguration section. + +**Application Capabilities**: Used by default programs that allow an application to register itself as: + +- Capable of opening specific file extensions +- A contender for the start menu internet browser slot +- Capable of opening specific windows MIME types + +This extension also makes the virtual application visible in the Set default programs UI. + +```XML + + + + + + + + + + + [{PackageRoot}]\LitView\LitViewBrowser.exe + + + + LitView Browser + + SOFTWARE\LitView\Browser\Capabilities + + + + + + + + + @[{ProgramFilesX86}]\LitView\LitViewBrowser.exe,-12345 + + + @[{ProgramFilesX86}]\LitView\LitViewBrowser.exe,-12346 + + 0 + + Lit View E-Mail Client + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +_**Supported extension subsystems:**_ + +**Machine Wide Virtual Registry** extension subsystem sets a registry key in the virtual registry within HKEY_Local_Machine. + +```XML + + + + + + + + + + + + + + + + + + + +``` + +**Machine Wide Virtual Kernel Objects** + +```XML + + + + + + + + + + + +``` + +#### ProductSourceURLOptOut + +Use ProductSourceURLOptOut to indicate that the URL for the package can be modified globally through _PackageSourceRoot_ (to support branch office scenarios). Changes take effect on the next launch. + +```XML + + + + ... + + + + ... + + + +``` + +#### MachineScripts + +The package can be configured to execute scripts at time of deployment, publishing or removal. To see a sample script, refer to the deployment configuration file generated by the sequencer. + +The Scripts section below provides more information on the various triggers that can be used. + +#### TerminateChildProcess + +An application executable can be specified, whose child processes get terminated when the application exe process terminates. + +```XML + + + + ... + + + + + + + + + + + + ... + + + +``` + + + +## Scripts The following table describes the various script events and the context under which they can be run. - -------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Script Execution TimeCan be specified in Deployment ConfigurationCan be specified in User ConfigurationCan run in the Virtual Environment of the packageCan be run in the context of a specific applicationRuns in system/user context: (Deployment Configuration, User Configuration)

AddPackage

X

(SYSTEM, N/A)

PublishPackage

X

X

(SYSTEM, User)

UnpublishPackage

X

X

(SYSTEM, User)

RemovePackage

X

(SYSTEM, N/A)

StartProcess

X

X

X

X

(User, User)

ExitProcess

X

X

X

(User, User)

StartVirtualEnvironment

X

X

X

(User, User)

TerminateVirtualEnvironment

X

X

(User, User)

- -  +| Script Execution Time | Can be specified in Deployment Configuration | Can be specified in User Configuration | Can run in the Virtual Environment of the package | Can be run in the context of a specific application | Runs in system/user context: (Deployment Configuration, User Configuration) | +|-----------------------------|----------------------------------------------|----------------------------------------|---------------------------------------------------|-----------------------------------------------------|-----------------------------------------------------------------------------| +| AddPackage | X | | | | (SYSTEM, N/A) | +| PublishPackage | X | X | | | (SYSTEM, User) | +| UnpublishPackage | X | X | | | (SYSTEM, User) | +| RemovePackage | X | | | | (SYSTEM, N/A) | +| StartProcess | X | X | X | X | (User, User) | +| ExitProcess | X | X | | X | (User, User) | +| StartVirtualEnvironment | X | X | X | | (User, User) | +| TerminateVirtualEnvironment | X | X | | | (User, User) | ### Using multiple scripts on a single event trigger -App-V 5.1 supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V 5.0 or later. To enable the use of multiple scripts, App-V 5.1 uses a script launcher application, named ScriptRunner.exe, which is installed as part of the App-V client installation. +App-V 5.1 supports the use of multiple scripts on a single event trigger for +App-V packages, including packages that you convert from App-V 4.6 to App-V 5.0 +or later. To enable the use of multiple scripts, App-V 5.1 uses a script +launcher application, named ScriptRunner.exe, which is installed as part of the +App-V client installation. -**How to use multiple scripts on a single event trigger:** +### How to use multiple scripts on a single event trigger -For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application then runs each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger. +For each script that you want to run, pass that script as an argument to the +ScriptRunner.exe application. The application then runs each script separately, +along with the arguments that you specify for each script. Use only one script +(ScriptRunner.exe) per trigger. -**Note**   -We recommended that you run the multi-script line from a command prompt first to make sure that all arguments are built correctly before adding them to the deployment configuration file. +>[!NOTE] -  +>We recommended that you run the multi-script line from a command prompt +first to make sure that all arguments are built correctly before adding them to +the deployment configuration file. -**Example script and parameter descriptions** +### Example script and parameter descriptions -Using the following example file and table, modify the deployment or user configuration file to add the scripts that you want to run. +Using the following example file and table, modify the deployment or user +configuration file to add the scripts that you want to run. -``` syntax +```XML ScriptRunner.exe @@ -885,89 +913,64 @@ Using the following example file and table, modify the deployment or user config ``` - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Parameter in the example fileDescription

<AddPackage>

Name of the event trigger for which you are running a script, such as adding a package or publishing a package.

<Path>ScriptRunner.exe</Path>

The script launcher application that is installed as part of the App-V client installation.

-
-Note   -

Although ScriptRunner.exe is installed as part of the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.

-
-
-  -
<Arguments>
--appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10
 
--appvscript script2.vbs arg1 arg2
+**Parameters in the example file include:**
 
--appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror
-</Arguments>

-appvscript - Token that represents the actual script that you want to run.

-

script1.exe – Name of the script that you want to run.

-

arg1 arg2 – Arguments for the script that you want to run.

-

-appvscriptrunnerparameters – Token that represents the execution options for script1.exe

-

-wait – Token that informs ScriptRunner to wait for execution of script1.exe to complete before proceeding to the next script.

-

-timeout=x – Token that informs ScriptRunner to stop running the current script after x number of seconds. All other specified scripts will still run.

-

-rollbackonerror – Token that informs ScriptRunner to stop running all scripts that haven't yet run and to roll back an error to the App-V client.

<Wait timeout=”40” RollbackOnError=”true”/>

Waits for overall completion of ScriptRunner.exe.

-

Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.

-

If any individual script reported an error and rollbackonerror was set to true, then ScriptRunner would report the error to App-V client.

+#### \ -  +Name of the event trigger for which you are running a script, such as adding a package or publishing a package. -ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type is not associated with any application on the computer, the script will not run. +#### \ScriptRunner.exe\ -### Create a Dynamic Configuration file using an App-V 5.1 Manifest file +The script launcher application that is installed as part of the App-V client installation. -You can create the Dynamic Configuration file using one of three methods: either manually, using the App-V 5.1 Management Console or sequencing a package, which will be generated with 2 sample files. +>[!NOTE] -For more information about how to create the file using the App-V 5.1 Management Console see, [How to Create a Custom Configuration File by Using the App-V 5.1 Management Console](how-to-create-a-custom-configuration-file-by-using-the-app-v-51-management-console.md). +>Although ScriptRunner.exe is installed as part of the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:FilesApplication Virtualizationfolder. + +#### \ + +`-appvscript` - Token that represents the actual script that you want to run. + +`script1.exe` – Name of the script that you want to run. + +`arg1 arg2` – Arguments for the script that you want to run. + +`-appvscriptrunnerparameters` – Token that represents the execution options for script1.exe. + +`-wait` – Token that informs ScriptRunner to wait for execution of script1.exe to complete before proceeding to the next script. + +`-timeout=x` – Token that informs ScriptRunner to stop running the current script after x number of seconds. All other specified scripts still runs. + +`-rollbackonerror` – Token that informs ScriptRunner to stop running all scripts that haven't yet run and to roll back an error to the App-V client. + +#### \ + +Waits for overall completion of ScriptRunner.exe. + +Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts. + +If any individual script reported an error and rollbackonerror was set to true, then ScriptRunner would report the error to App-V client. + +ScriptRunner runs any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type is not associated with any application on the computer, the script does not run. + +### Create a dynamic configuration file using an App-V 5.1 manifest file + +You can create the dynamic configuration file using one of three methods: either manually, using the App-V 5.1 Management Console or sequencing a package, which generates two sample files. For more information about how to create the file using the App-V 5.1 Management Console see, [How to create a custom configuration File by using the App-V 5.1 Management Console](how-to-create-a-custom-configuration-file-by-using-the-app-v-51-management-console.md). To create the file manually, the information above in previous sections can be combined into a single file. We recommend you use files generated by the sequencer. ## Got a suggestion for App-V? - -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +- Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). +- For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics +- [How to Apply the Deployment Configuration File by Using PowerShell](how-to-apply-the-deployment-configuration-file-by-using-powershell51.md) -[How to Apply the Deployment Configuration File by Using PowerShell](how-to-apply-the-deployment-configuration-file-by-using-powershell51.md) - -[How to Apply the User Configuration File by Using PowerShell](how-to-apply-the-user-configuration-file-by-using-powershell51.md) - -[Operations for App-V 5.1](operations-for-app-v-51.md) - -  - -  - - - +- [How to Apply the User Configuration File by Using PowerShell](how-to-apply-the-user-configuration-file-by-using-powershell51.md) +- [Operations for App-V 5.1](operations-for-app-v-51.md) +--- \ No newline at end of file diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index 0fdf152e67..7ca9dcb801 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -8,14 +8,16 @@ ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 5/30/2018 +ms.date: 8/30/2018 +ms.author: pashort +author: shortpatti --- # Applying hotfixes on MBAM 2.5 SP1 This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 ### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 -[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126) +[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=57157) #### Steps to update the MBAM Server for existing MBAM environment 1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features). diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index aa159ddffe..67c65aeebb 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 07/31/2018 +ms.date: 08/29/2018 --- # Microsoft Store for Business and Education release history @@ -17,6 +17,9 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## July 2018 +- Bug fixes and permformance improvements. + ## June 2018 - **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. - **Performance improvements in private store** - We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) @@ -44,15 +47,12 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. ## December 2017 - - Bug fixes and permformance improvements. ## November 2017 - - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. ## October 2017 - - Bug fixes and permformance improvements. ## September 2017 diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 3f6676128a..efce0d7fd7 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 07/31/2018 +ms.date: 08/29/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,9 +17,10 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**July 2018** - -We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new feature +**August 2018** +| | | +|-----------------------|---------------------------------| +| ![Private store performance icon](images/perf-improvement-icon.png) |**App requests**

People in your organization can make requests for apps that they need. They can also request them on behalf of other people. Admins review requests and can decide on purchases.

[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index efc80528fb..624f92fed0 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -2201,7 +2201,7 @@ Supported values: - If it’s one of many apps, Microsoft Edge runs as normal. **1**: -- • If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 1d41637f5b..e2bc67b21b 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -114,8 +114,8 @@ Here is an example: ``` - - + + ``` diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index df68eeee47..80185310fd 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/10/2018 +ms.date: 08/29/2018 --- # Policy CSP - Update @@ -715,6 +715,8 @@ The following list shows the supported values: For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + Value type is integer. Default is 7 days. Supported values range: 2-30. @@ -781,6 +783,8 @@ ADMX Info: For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + Value type is integer. Default is 7 days. Supported values range: 2-30. @@ -1503,6 +1507,11 @@ The following list shows the supported values: For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + +> [!Note] +> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. + Value type is integer. Default is 14. Supported value range: 2 - 30. @@ -1757,11 +1766,11 @@ ADMX Info: -For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. +For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Value type is integer. +Value type is integer. Default value is 7 days. -Supported value range: 0 - 30. +Supported value range: 0 - 30. If you disable or do not configure this policy, the default behaviors will be used. @@ -1822,7 +1831,7 @@ ADMX Info: For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Value type is integer. +Value type is integer. Default value is 7 days. Supported value range: 0 - 30. @@ -3324,6 +3333,8 @@ ADMX Info: Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. +When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. + ADMX Info: diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 9314464f11..2cb51a98c1 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/09/2018 +ms.date: 08/29/2018 --- # Policy DDF file @@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can download the DDF files from the links below: - [Download the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) +- [Download the Policy DDF file for Windows 10, version 1803 release C](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) - [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 09a31768aa..aaf7da1a9a 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -58,15 +58,18 @@ To turn off Windows Spotlight locally, go to **Settings** > **Personalization Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. +>[!NOTE] +>These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor. + | Group Policy | MDM | Description | Applies to | | --- | --- | --- | --- | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | -| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | -| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | -| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | -**User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | +| **Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | +| **Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | +| **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | +| **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | +| **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | +| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | +**Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index e76b08389c..9e529d5f34 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin ms.author: daniha -ms.date: 10/17/2017 +ms.date: 09/05/2019 --- # Change history for Update Windows 10 @@ -38,6 +38,5 @@ All topics were updated to reflect the new [naming changes](waas-overview.md#nam ## RELEASE: Windows 10, version 1703 The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: -* [Windows Insider Program for Business](waas-windows-insider-for-business.md) -* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) -* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) \ No newline at end of file +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 74fdfc0efd..9b07031bb6 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -8,7 +8,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 06/01/2018 +ms.date: 09/07/2018 --- # Overview of Windows as a service @@ -138,10 +138,9 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. >[!NOTE] ->Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). +>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). -The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Since these apps aren’t included then not supported in Windows 10 Enterprise LTSB edition, including the case of the in-box application sideloading. -Therefore, it’s important to remember that Microsoft has positioned the LTSC model primarily for specialized devices. +The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even of you install by using sideloading. >[!NOTE] >If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel. diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 4ca5f1bd95..166c96a39c 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -142,7 +142,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional + Pro D ✔ ✔ @@ -153,7 +153,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional Student + Pro Student D ✔ ✔ @@ -164,7 +164,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional WMC + Pro WMC D ✔ ✔ @@ -233,7 +233,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional + Pro D ✔ ✔ diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md index cb4b220902..8cd71d80c3 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -18,22 +18,19 @@ ms.date: 06/01/2018 Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: -- Windows 10 version 1703 or higher must be used. The Professional, Professional for Education, Business, Enterprise, and Education editions are supported. - +- Windows 10 version 1703 or higher must be used. Supported editions are the following: + - Pro + - Pro Education + - Pro for Workstations + - Enterprise + - Education - One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality: - - Microsoft 365 Business subscriptions - - Microsoft 365 F1 subscriptions - - Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune) - - Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features - - Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service) Additionally, the following are also recommended but not required: - - Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services) - - [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 91f27e52b9..23991e4fc0 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -70,115 +70,5 @@ ### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) -## [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md) -### [Isolating Microsoft Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md) -### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md) -### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md) -### [Windows Firewall with Advanced Security Design Guide](windows-firewall/windows-firewall-with-advanced-security-design-guide.md) -#### [Understanding the Windows Firewall with Advanced Security Design Process](windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md) -#### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) -##### [Protect Devices from Unwanted Network Traffic](windows-firewall/protect-devices-from-unwanted-network-traffic.md) -##### [Restrict Access to Only Trusted Devices](windows-firewall/restrict-access-to-only-trusted-devices.md) -##### [Require Encryption When Accessing Sensitive Network Resources](windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md) -##### [Restrict Access to Only Specified Users or Computers](windows-firewall/restrict-access-to-only-specified-users-or-devices.md) -#### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) -##### [Basic Firewall Policy Design](windows-firewall/basic-firewall-policy-design.md) -##### [Domain Isolation Policy Design](windows-firewall/domain-isolation-policy-design.md) -##### [Server Isolation Policy Design](windows-firewall/server-isolation-policy-design.md) -##### [Certificate-based Isolation Policy Design](windows-firewall/certificate-based-isolation-policy-design.md) -#### [Evaluating Windows Firewall with Advanced Security Design Examples](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) -##### [Firewall Policy Design Example](windows-firewall/firewall-policy-design-example.md) -##### [Domain Isolation Policy Design Example](windows-firewall/domain-isolation-policy-design-example.md) -##### [Server Isolation Policy Design Example](windows-firewall/server-isolation-policy-design-example.md) -##### [Certificate-based Isolation Policy Design Example](windows-firewall/certificate-based-isolation-policy-design-example.md) -#### [Designing a Windows Firewall with Advanced Security Strategy](windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md) -##### [Gathering the Information You Need](windows-firewall/gathering-the-information-you-need.md) -###### [Gathering Information about Your Current Network Infrastructure](windows-firewall/gathering-information-about-your-current-network-infrastructure.md) -###### [Gathering Information about Your Active Directory Deployment](windows-firewall/gathering-information-about-your-active-directory-deployment.md) -###### [Gathering Information about Your Computers](windows-firewall/gathering-information-about-your-devices.md) -###### [Gathering Other Relevant Information](windows-firewall/gathering-other-relevant-information.md) -##### [Determining the Trusted State of Your Computers](windows-firewall/determining-the-trusted-state-of-your-devices.md) -#### [Planning Your Windows Firewall with Advanced Security Design](windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md) -##### [Planning Settings for a Basic Firewall Policy](windows-firewall/planning-settings-for-a-basic-firewall-policy.md) -##### [Planning Domain Isolation Zones](windows-firewall/planning-domain-isolation-zones.md) -###### [Exemption List](windows-firewall/exemption-list.md) -###### [Isolated Domain](windows-firewall/isolated-domain.md) -###### [Boundary Zone](windows-firewall/boundary-zone.md) -###### [Encryption Zone](windows-firewall/encryption-zone.md) -##### [Planning Server Isolation Zones](windows-firewall/planning-server-isolation-zones.md) -##### [Planning Certificate-based Authentication](windows-firewall/planning-certificate-based-authentication.md) -###### [Documenting the Zones](windows-firewall/documenting-the-zones.md) -###### [Planning Group Policy Deployment for Your Isolation Zones](windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md) -####### [Planning Isolation Groups for the Zones](windows-firewall/planning-isolation-groups-for-the-zones.md) -####### [Planning Network Access Groups](windows-firewall/planning-network-access-groups.md) -####### [Planning the GPOs](windows-firewall/planning-the-gpos.md) -######## [Firewall GPOs](windows-firewall/firewall-gpos.md) -######### [GPO_DOMISO_Firewall](windows-firewall/gpo-domiso-firewall.md) -######## [Isolated Domain GPOs](windows-firewall/isolated-domain-gpos.md) -######### [GPO_DOMISO_IsolatedDomain_Clients](windows-firewall/gpo-domiso-isolateddomain-clients.md) -######### [GPO_DOMISO_IsolatedDomain_Servers](windows-firewall/gpo-domiso-isolateddomain-servers.md) -######## [Boundary Zone GPOs](windows-firewall/boundary-zone-gpos.md) -######### [GPO_DOMISO_Boundary](windows-firewall/gpo-domiso-boundary.md) -######## [Encryption Zone GPOs](windows-firewall/encryption-zone-gpos.md) -######### [GPO_DOMISO_Encryption](windows-firewall/gpo-domiso-encryption.md) -######## [Server Isolation GPOs](windows-firewall/server-isolation-gpos.md) -####### [Planning GPO Deployment](windows-firewall/planning-gpo-deployment.md) -#### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) -### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) -#### [Planning to Deploy Windows Firewall with Advanced Security](windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md) -#### [Implementing Your Windows Firewall with Advanced Security Design Plan](windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md) -#### [Checklist: Creating Group Policy Objects](windows-firewall/checklist-creating-group-policy-objects.md) -#### [Checklist: Implementing a Basic Firewall Policy Design](windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md) -#### [Checklist: Configuring Basic Firewall Settings](windows-firewall/checklist-configuring-basic-firewall-settings.md) -#### [Checklist: Creating Inbound Firewall Rules](windows-firewall/checklist-creating-inbound-firewall-rules.md) -#### [Checklist: Creating Outbound Firewall Rules](windows-firewall/checklist-creating-outbound-firewall-rules.md) -#### [Checklist: Implementing a Domain Isolation Policy Design](windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md) -##### [Checklist: Configuring Rules for the Isolated Domain](windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md) -##### [Checklist: Configuring Rules for the Boundary Zone](windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md) -##### [Checklist: Configuring Rules for the Encryption Zone](windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md) -##### [Checklist: Configuring Rules for an Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md) -#### [Checklist: Implementing a Standalone Server Isolation Policy Design](windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md) -##### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md) -##### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md) -#### [Checklist: Implementing a Certificate-based Isolation Policy Design](windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md) -#### [Procedures Used in This Guide](windows-firewall/procedures-used-in-this-guide.md) -##### [Add Production Devices to the Membership Group for a Zone](windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md) -##### [Add Test Devices to the Membership Group for a Zone](windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md) -##### [Assign Security Group Filters to the GPO](windows-firewall/assign-security-group-filters-to-the-gpo.md) -##### [Change Rules from Request to Require Mode](windows-firewall/change-rules-from-request-to-require-mode.md) -##### [Configure Authentication Methods](windows-firewall/configure-authentication-methods.md) -##### [Configure Data Protection (Quick Mode) Settings](windows-firewall/configure-data-protection-quick-mode-settings.md) -##### [Configure Group Policy to Autoenroll and Deploy Certificates](windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md) -##### [Configure Key Exchange (Main Mode) Settings](windows-firewall/configure-key-exchange-main-mode-settings.md) -##### [Configure the Rules to Require Encryption](windows-firewall/configure-the-rules-to-require-encryption.md) -##### [Configure the Windows Firewall Log](windows-firewall/configure-the-windows-firewall-log.md) -##### [Configure the Workstation Authentication Certificate Template](windows-firewall/configure-the-workstation-authentication-certificate-template.md) -##### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) -##### [Confirm That Certificates Are Deployed Correctly](windows-firewall/confirm-that-certificates-are-deployed-correctly.md) -##### [Copy a GPO to Create a New GPO](windows-firewall/copy-a-gpo-to-create-a-new-gpo.md) -##### [Create a Group Account in Active Directory](windows-firewall/create-a-group-account-in-active-directory.md) -##### [Create a Group Policy Object](windows-firewall/create-a-group-policy-object.md) -##### [Create an Authentication Exemption List Rule](windows-firewall/create-an-authentication-exemption-list-rule.md) -##### [Create an Authentication Request Rule](windows-firewall/create-an-authentication-request-rule.md) -##### [Create an Inbound ICMP Rule](windows-firewall/create-an-inbound-icmp-rule.md) -##### [Create an Inbound Port Rule](windows-firewall/create-an-inbound-port-rule.md) -##### [Create an Inbound Program or Service Rule](windows-firewall/create-an-inbound-program-or-service-rule.md) -##### [Create an Outbound Port Rule](windows-firewall/create-an-outbound-port-rule.md) -##### [Create an Outbound Program or Service Rule](windows-firewall/create-an-outbound-program-or-service-rule.md) -##### [Create Inbound Rules to Support RPC](windows-firewall/create-inbound-rules-to-support-rpc.md) -##### [Create WMI Filters for the GPO](windows-firewall/create-wmi-filters-for-the-gpo.md) -##### [Enable Predefined Inbound Rules](windows-firewall/enable-predefined-inbound-rules.md) -##### [Enable Predefined Outbound Rules](windows-firewall/enable-predefined-outbound-rules.md) -##### [Exempt ICMP from Authentication](windows-firewall/exempt-icmp-from-authentication.md) -##### [Link the GPO to the Domain](windows-firewall/link-the-gpo-to-the-domain.md) -##### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) -##### [Open the Group Policy Management Console to IP Security Policies](windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md) -##### [Open the Group Policy Management Console to Windows Firewall](windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md) -##### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) -##### [Open Windows Firewall with Advanced Security](windows-firewall/open-windows-firewall-with-advanced-security.md) -##### [Restrict Server Access to Members of a Group Only](windows-firewall/restrict-server-access-to-members-of-a-group-only.md) -##### [Turn on Windows Firewall and Configure Default Behavior](windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md) -##### [Verify That Network Traffic Is Authenticated](windows-firewall/verify-that-network-traffic-is-authenticated.md) - ## [Windows Hello for Business](hello-for-business/hello-identity-verification.md) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index c717ec92bb..66069f5d73 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 05/18/2018 +ms.date: 09/04/2018 --- # Manage Windows Defender Credential Guard @@ -98,7 +98,7 @@ If you enable Windows Defender Credential Guard by using Group Policy, the steps You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot +DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot ``` ### Review Windows Defender Credential Guard performance @@ -118,7 +118,7 @@ You can view System Information to check that Windows Defender Credential Guard You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v3.2.ps1 -Ready +DG_Readiness_Tool_v3.5.ps1 -Ready ``` > [!NOTE] @@ -186,7 +186,7 @@ For more info on virtualization-based security and Windows Defender Device Guard You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot +DG_Readiness_Tool_v3.5.ps1 -Disable -AutoReboot ``` #### Disable Windows Defender Credential Guard for a virtual machine diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index 7208a54485..1e0b600031 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -25,5 +25,4 @@ Learn more about identity annd access management technologies in Windows 10 and | [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | | [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | -| [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. | | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. | diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index c0e5e23158..0854da77c6 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -187,7 +187,7 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind | Registry key | Group Policy setting | Registry setting | | - | - | - | | FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled
1 = Enabled | -| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
1 = Enabled | +| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
1 = Enabled | | ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
| | ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials | | EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)
0 = Disabled (default for enterprise) | diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index dca351a7eb..9ad00797a5 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -15,7 +15,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows 10 credential theft mitigation guide.docx). +This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages: - Identify high-value assets diff --git a/windows/security/index.yml b/windows/security/index.yml index 019ee50e72..ca0486b130 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -22,7 +22,7 @@ metadata: manager: brianlic - ms.date: 07/12/2018 + ms.date: 08/01/2018 ms.topic: article @@ -78,17 +78,3 @@ sections: title: Information protection -- title: Windows Defender Advanced Threat Protection - items: - - type: markdown - text: " - Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform. -
 
- - - - - - - -
Attack surface reductionNext generation protectionEndpoint detection and responseAuto investigation and remediationSecurity posture
[Hardware based isolation](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)

[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)

[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)

[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)

[Network firewall](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)

[Attack surface reduction controls](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)		[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)

[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)

[Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)		[Alerts queue](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)

[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)

[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)

[API and SIEM integration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)

[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)

[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)

[Advanced detonation and analysis service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)		[Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)

[Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)

[Manage automated investigations](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)

[Analyze automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)		[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)

[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)
" \ No newline at end of file diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index b9c98da745..3eed493afd 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -22,10 +22,7 @@ ### [BitLocker Group Policy settings](bitlocker\bitlocker-group-policy-settings.md) ### [BCD settings and BitLocker](bitlocker\bcd-settings-and-bitlocker.md) ### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md) -### [Protect BitLocker from pre-boot attacks](bitlocker\protect-bitlocker-from-pre-boot-attacks.md) -#### [Types of attacks for volume encryption keys](bitlocker\types-of-attacks-for-volume-encryption-keys.md) -#### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md) -#### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md) +### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md) ### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md) ## [Encrypted Hard Drive](encrypted-hard-drive.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index ea8973ef41..91d9c277db 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -7,137 +7,185 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 10/27/2017 +ms.date: 09/06/2018 --- + # BitLocker Countermeasures **Applies to** - Windows 10 -Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. -BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by: +Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys against attacks. +BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. +Data on a lost or stolen computer is vulnerable. +For example, there could be unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. -- **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files. -- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer. +BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by: -The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup. +- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed. +- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability. +  +The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 10, Windows 8.1, and Windows 8. -### Protection before startup +For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). -Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM and Secure Boot. Fortunately, many modern computers feature TPM. +## Protection before startup -#### Trusted Platform Module +Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers feature a TPM and Secure Boot. -Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify. +### Trusted Platform Module -A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process. -By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key. -For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview). +A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. +On some platforms, TPM can alternatively be implemented as a part of secure firmware. +BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline. +For more info about TPM, see [Trusted Platform Module](https://docs.microsoft.com/windows/device-security/tpm/trusted-platform-module-overview). -#### UEFI and Secure Boot +### UEFI and Secure Boot -No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys. +Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. -The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating system’s bootloader. As part of its introduction into the pre–operating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature. +The UEFI specification defines a firmware execution authentication process called [Secure Boot](https://docs.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). +Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. -Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the device’s firmware before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust. +By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. +An unauthorized EFI firmware, EFI boot application, or bootloader cannot run and acquire the BitLocker key. -Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. -With the legacy BIOS boot process, the pre–operating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes. +### BitLocker and reset attacks -![the bios and uefi startup processes](images/bitlockerprebootprotection-bios-uefi-startup.jpg) +To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. -**Figure 1.** The BIOS and UEFI startup processes +>[!NOTE] +>This does not protect against physical attacks where an attacker opens the case and attacks the hardware. -With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature. -Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate. +## Security policies -If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed. +The next sections cover pre-boot authentication and DMA policies that can provide additional protection for BitLocker. -Starting with Windows 8, certified devices must meet several requirements related to UEFI-based Secure Boot: +### Pre-boot authentication -- They must have Secure Boot enabled by default. -- They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed). -- They must allow the user to configure Secure Boot to trust other signed bootloaders. -- Except for Windows RT devices, they must allow the user to completely disable Secure Boot. +Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. +The Group Policy setting is [Require additional authentication at startup](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) and the corresponding setting in the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. -These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems: +BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. +If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key. -- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of -Secure Boot on Windows-certified devices. - -- **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems. -- **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however. - -To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. -Any device that doesn’t require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution. -UEFI is secure by design, but it’s critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly. - -For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](https://technet.microsoft.com/windows/dn168167.aspx). - -### Protection during pre-boot: Pre-boot authentication - -Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key. - -If Windows can’t access the encryption key, the device can’t read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they won’t be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key. - -The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: That’s merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future. +Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. +This helps mitigate DMA and memory remanence attacks. On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: -- **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data. -- **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key. -- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. -- **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required. +- **TPM-only.** Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard logon. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. +- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key. +- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. TPMs also have [anti-hammering protection](https://docs.microsoft.com/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. +- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required. -For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself. +In the following Group Policy example, TPM + PIN is required to unlock an operating system drive: -Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks). +![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png) -BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy. -Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however. +Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. +Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. -You can mitigate the risk of booting to a malicious operating system: +On the other hand, Pre-boot authentication prompts can be inconvenient to users. +In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. +Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. -- **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option. -- **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot. +To address these issues, you can deploy [BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock). +Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. +It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server. -### Protection During Startup +### Protecting Thunderbolt and other DMA ports -During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail. +There are a few different options to protect DMA ports, such as Thunderbolt™3. +Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. +This kernel DMA protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. -**Trusted Boot** +You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: -Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. +![Kernel DMA protection](images/kernel-dma-protection.png) -Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, it’s possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled. +If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: -**Early Launch Antimalware** +1. Require a password for BIOS changes +2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings +3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607): -Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. + - MDM: [DataProtection/AllowDirectMemoryAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy + - Group Policy: [Disable new DMA devices when this computer is locked](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#disable-new-dma-devices-when-this-computer-is-locked) (This setting is not configured by default.) -Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete. +For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). +For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). + +## Attack countermeasures -Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps. +This section covers countermeasures for specific types attacks. -To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. +### Bootkits and rootkits -With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy. -ELAM classifies drivers as follows: +A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. +The TPM should observe this installation via PCR measurements, and the BitLocker key will not be released. +This is the default configuration. -- **Good.** The driver has been signed and has not been tampered with. -- **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized. -- **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. -- **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver. +A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. +Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. +Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). -While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack. +### Brute force attacks against a PIN +Require TPM + PIN for anti-hammering protection. -### Protection After Startup: eliminate DMA availability +### DMA attacks -Windows Modern Standby–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA. +See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this topic. -## See also -- [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md) -- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) -- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) -- [BitLocker overview](bitlocker-overview.md) +### Paging file, crash dump, and Hyberfil.sys attacks +These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. +It also blocks automatic or manual attempts to move the paging file. + +### Memory remanence + +Enable Secure Boot and require a password to change BIOS settings. +For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user. + +## Attacker countermeasures + +The following sections cover mitigations for different types of attackers. + +### Attacker without much skill or with limited physical access + +Physical access may be limited by a form factor that does not expose buses and memory. +For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. +This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software. + +Mitigation: +- Pre-boot authentication set to TPM only (the default) + +### Attacker with skill and lengthy physical access + +Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software. + +Mitigation: +- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN to help the TPM anti-hammering mitigation). + + -And- + +- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This can be set using Group Policy: + + - Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show hibernate in the power options menu + - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (plugged in) + - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (on battery) + +These settings are **Not configured** by default. + +For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol2aallow-enhanced-pins-for-startup) is: + +Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives|Allow enhanced PINs for startup + +This setting is **Not configured** by default. + +For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby power management and shut down or hibernate the device. + +## See also + +- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) +- [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) +- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md b/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md deleted file mode 100644 index c1b351b15e..0000000000 --- a/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -title: Choose the right BitLocker countermeasure (Windows 10) -description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. -ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft -ms.date: 10/27/2017 ---- - -# Choose the right BitLocker countermeasure - -**Applies to** -- Windows 10 - -This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. -You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication. - -Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

Windows 8.1
without TPM

 -

Windows 8.1 Certified
(with TPM)

-

Bootkits and
Rootkits

Without TPM, boot integrity checking is not available

Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings

-

Brute Force
Sign-in

Secure by default, and can be improved with account lockout Group Policy

Secure by default, and can be improved with account lockout and device lockout Group Policy settings

-

DMA
Attacks

If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in

If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in

-

Hyberfil.sys
Attacks

Secure by default; hyberfil.sys secured on encrypted volume

Secure by default; hyberfil.sys secured on encrypted volume

-

Memory
Remanence
Attacks

Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication

Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication

- -**Table 1.**  How to choose the best countermeasures for Windows 8.1

- - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

Windows 10
without TPM

 -

Windows 10 Certified
(with TPM)

-

Bootkits and
Rootkits

Without TPM, boot integrity checking is not available

Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings

-

Brute Force
Sign-in

Secure by default, and can be improved with account lockout Group Policy

Secure by default, and can be improved with account lockout and device lockout Group Policy settings

-

DMA
Attacks

If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in

Secure by default; certified devices do not expose vulnerable DMA busses.
Can be additionally secured by deploying policy to restrict DMA devices:

- -
-

Hyberfil.sys
Attacks

Secure by default; hyberfil.sys secured on encrypted volume

Secure by default; hyberfil.sys secured on encrypted volume

-

Memory
Remanence
Attacks

Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication

Password protect the firmware and ensure Secure Boot is enabled.
The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.

- -**Table 2.**  How to choose the best countermeasures for Windows 10 - -The latest Modern Standby devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA port–based attacks, which represent the attack vector of choice, are not possible on Modern Standby devices because these port types are prohibited. The inclusion of DMA ports on even non-Modern Standby devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is: - -**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption** - -Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). - -Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack. - -In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations -outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs. - -## See also -- [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md) -- [BitLocker Countermeasures](bitlocker-countermeasures.md) -- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) -- [BitLocker overview](bitlocker-overview.md) -  -  diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png b/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png new file mode 100644 index 0000000000..297809afdc Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png differ diff --git a/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png b/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png new file mode 100644 index 0000000000..94d0720c76 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png differ diff --git a/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md b/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md deleted file mode 100644 index d67cd69a82..0000000000 --- a/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Protect BitLocker from pre-boot attacks (Windows 10) -description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. -ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft -ms.date: 04/19/2017 ---- -# Protect BitLocker from pre-boot attacks - - -**Applies to** -- Windows 10 - -This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. - -BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating system’s integrity, disk encryption solution (for example, encryption keys), and the PC’s data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting -Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key. - -Full-volume encryption using BitLocker Drive Encryption is vital for protecting data and system integrity on devices running the Windows 10, Windows 8.1, Windows 8, or Windows 7 operating system. It is equally important to protect the BitLocker encryption key. On Windows 7 devices, sufficiently protecting that key often required pre-boot authentication, which many users find inconvenient and complicates device management. - -Pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs. Every time the PC is unattended, the device must be set to hibernate (in other words, shut down and powered off); when the computer restarts, users must authenticate before the encrypted volumes are unlocked. This requirement increases restart times and prevents users from accessing remote PCs until they can physically access the computer to authenticate, making pre-boot authentication unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network. - -If users lose their USB key or forget their PIN, they can’t access their PC without a recovery key. With a properly configured infrastructure, the organization’s support will be able to provide the recovery key, but doing so increases support costs, and users might lose hours of productive work time. - -Starting with Windows 8, Secure Boot and Windows Trusted Boot startup process ensures operating system integrity, allowing Windows to start automatically while minimizing the risk of malicious startup tools and rootkits. In addition, many modern devices are fundamentally physically resistant to sophisticated attacks against the computer’s memory, and now Windows authenticates the user before making devices that may represent a threat to the device and encryption keys available for use. - -## In this topic - -The sections that follow help you understand which PCs still need pre-boot authentication and which can meet your security requirements without the inconvenience of it. - -- [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md) -- [BitLocker countermeasures](bitlocker-countermeasures.md) -- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) - -## See also - -- [BitLocker overview](bitlocker-overview.md) -  -  diff --git a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md deleted file mode 100644 index d96b30a8c5..0000000000 --- a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: Types of attacks for volume encryption keys (Windows 10) -description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. -ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft -ms.date: 10/27/2017 ---- - -# Types of attacks for volume encryption keys - -**Applies to** -- Windows 10 - -There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. - -The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations. - -### Bootkit and rootkit attacks - -Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same or possibly even more rights than the operating system, they can completely hide themselves from Windows and even an antimalware solution. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, transfer private files, and capture cryptography keys. - -Different types of bootkits and rootkits load at different software levels: - -- **Kernel level.** Rootkits running at the kernel level have the highest privilege in the operating system. They may be able to inject malicious code or replace portions of the core operating system, including both the kernel and device drivers. -- **Application level.** These rootkits are aimed to replace application binaries with malicious code, such as a Trojan, and can even modify the behavior of existing applications. -- **Library level.** The purpose of library-level rootkits is to hook, patch, or replace system calls with malicious code that can hide the malware’s presence. -- **Hypervisor level.** Hypervisor rootkits target the boot sequence. Their primary purpose is to modify the boot sequence to load themselves as a hypervisor. -- **Firmware level.** These rootkits overwrite the PC’s BIOS firmware, giving the malware low-level access and potentially the ability to install or hide malware, even if it’s cleaned or removed from the hard disk. - -Regardless of the operating system or encryption method, rootkits have access to confidential data once installed. Application-level rootkits can read any files the user can access, bypassing volume-level encryption. Kernel-, library-, hypervisor-, and firmware-level rootkits have direct access to system files on encrypted volumes and can also retrieve an encryption key from memory. - -Windows offers substantial protection from bootkits and rootkits, but it is possible to bypass operating system security when an attacker has physical access to the device and can install the malware to the device while Windows is offline. For example, an attacker might boot a PC from a USB flash drive containing malware that starts before Windows. The malware can replace system files or the PC’s firmware or simply start Windows under its control. - -To sufficiently protect a PC from boot and rootkits, devices must use pre-boot authentication or Secure Boot, or the encryption solution must use the device’s Trusted Platform Module (TPM) as a means of monitoring the integrity of the end-to-end boot process. Pre-boot authentication is available for any device, regardless of the hardware, but because it is inconvenient to users, it should be used only to mitigate threats that are applicable to the device. On devices with Secure Boot enabled, you do not need to use pre-boot authentication to protect against boot and rootkit attacks. - -Although password protection of the UEFI configuration is important for protecting a device’s configuration and preventing an attacker from disabling Secure Boot, use of a TPM and its Platform Configuration Register (PCR) measurements (PCR7) to ensure that the system’s bootloader (whether a Windows or non-Microsoft encryption solution) is tamper free and the first code to start on the device is critical. An encryption solution that doesn’t use a device’s TPM to protect its components from tampering may be unable to protect itself from bootkit-level infections that could log a user’s password or acquire encryption keys. - -For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible. - -Any change to the UEFI configuration invalidates the PCR7 and requires the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. But UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives). - -### Brute-force Sign-in Attacks - -Attackers can find any password if you allow them to guess enough times. The process of trying millions of different passwords until you find the right one is known as a *brute-force sign-in attack*. In theory, an attacker could obtain any password by using this method. - -Three opportunities for brute-force attacks exist: - -- **Against the pre-boot authenticator.** An attacker could attack the device directly by attempting to guess the user’s BitLocker PIN or an equivalent authenticator. The TPM mitigates this approach by invoking an anti-hammering lockout capability that requires the user to wait until the lockout period ends or enter the BitLocker recovery key. -- **Against the recovery key.** An attacker could attempt to guess the 48-digit BitLocker recovery key. Even without a lockout period, the key is long enough to make brute-force attacks impractical. Specifically, the BitLocker recovery key has 128 bits of entropy; thus, the average brute-force attack would succeed after 18,446,744,073,709,551,616 guesses. If an attacker could guess 1 million passwords per second, the average brute-force attack would require more than 580,000 years to be successful. -- **Against the operating system sign-in authenticator.** An attacker can attempt to guess a valid user name and password. Windows implements a delay between password guesses, slowing down brute-force attacks. In addition, all recent versions of Windows allow administrators to require complex passwords and password lockouts. Similarly, administrators can use Microsoft Exchange ActiveSync policy or Group Policy to configure Windows 8.1 and Windows 8 to automatically restart and require the user to enter the BitLocker 48-digit recovery key after a specified number of invalid password attempts. When these settings are enabled and users follow best practices for complex passwords, brute-force attacks against the operating system sign-in are impractical. - -In general, brute-force sign-in attacks are not practical against Windows when administrators enforce complex passwords and account lockouts. - -### Direct Memory Access Attacks - -Direct memory access (DMA) allows certain types of hardware devices to communicate directly with a device’s system memory. For example, if you use Thunderbolt to connect another device to your computer, the second device automatically has Read and Write access to the target computer’s memory. - -Unfortunately, DMA ports don’t use authentication and access control to protect the contents of the computer’s memory. Whereas Windows can often prevent system components and apps from reading and writing to protected parts of memory, a device can use DMA to read any location in memory, including the location of any encryption keys. - -DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and -others, and then use a DMA attack to read confidential data from a PC’s memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack. - -Not all port types are vulnerable to DMA attacks. USB in particular does not allow DMA, but devices that have any of the following port types are vulnerable: - -- FireWire -- Thunderbolt -- ExpressCard -- PCMCIA -- PCI -- PCI-X -- PCI Express - -To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software -scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents. - -A much more efficient form of this attack exists in theory: An attacker crafts a custom FireWire or Thunderbolt device that has the DMA attack logic programmed on it. Now, the attacker simply needs to physically connect the device. If the attacker does not have physical access, they could disguise it as a free USB flash drive and distribute it to employees of a target organization. When connected, the attacking device could use a DMA attack to scan the PC’s memory for the encryption key. It could then transmit the key (or any data in the PC’s memory) using the PC’s Internet connection or its own wireless connection. This type of attack would require an extremely high level of sophistication, because it requires that the attacker create a custom device (devices of these types are not readily available in the marketplace at this time). - -Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsoft’s view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any Modern Standby-certified devices. Modern Standby devices offer mobile phone–like power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets. - -DMA-based expansion slots are another avenue of attack, but these slots generally appear only on desktop PCs that are designed for expansion. Organizations can use physical security to prevent outside attacks against their desktop PCs. In addition, a DMA attack on the expansion slot would require a custom device; as a result, an attacker would most likely insert an interface with a traditional DMA port (for example, FireWire) into the slot to attack the PC. - -To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device. - -### Hiberfil.sys Attacks - -The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file. - -Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it. - -In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack. - -### Memory Remanence Attacks - -A memory remanence attack is a side-channel attack that reads the encryption key from memory after restarting a PC. Although a PC’s memory is often considered to be cleared when the PC is restarted, memory chips don’t immediately lose their memory when you disconnect power. Therefore, an attacker who has physical access to the PC’s memory might be able to read data directly from the memory—including the encryption key. - -When performing this type of cold boot attack, the attacker accesses the PC’s physical memory and recovers the encryption key within a few seconds or minutes of disconnecting power. This type of attack was demonstrated by researchers at [Princeton University](http://www.youtube.com/watch?v=JDaicPIgn9U). With the encryption key, the attacker would be able to decrypt the drive and access its files. - -To acquire the keys, attackers follow this process: - -1. Freeze the PC’s memory. For example, an attacker can freeze the memory to −50°C by spraying it with aerosol air duster spray. -2. Restart the PC. -3. Instead of restarting Windows, boot to another operating system. Typically, this is done by connecting a bootable flash drive or loading a bootable DVD. -4. The bootable media loads the memory remanence attack tools, which the attacker uses to scan the system memory and locate the encryption keys. -5. The attacker uses the encryption keys to access the drive’s data. - -If the attacker is unable to boot the device to another operating system (for example, if bootable flash drives have been disabled or Secure Boot is enabled), the attacker can attempt to physically remove the frozen memory from the device and attach it to a different, possibly identical device. Fortunately, this process has proven extremely unreliable, as evidenced by the Defence Research and Development Canada (DRDC) Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). On an increasing portion of modern devices, this type of attack is not even possible, because memory is soldered directly to the motherboard. - -Although Princeton’s research proved that this type of attack was possible on devices that have removable memory, device hardware has changed since the research was published in 2008: - -- Secure Boot prevents the malicious tools that the Princeton attack depends on from running on the target device. -- Windows systems with BIOS or UEFI can be locked down with a password, and booting to a USB drive can be prevented. -- If booting to USB is required on the device, it can be limited to starting trusted operating systems by using Secure Boot. -- The discharge rates of memory are highly variable among devices, and many devices have memory that is completely immune to memory remanence attacks. -- Increased density of memory diminishes their remanence properties and reduces the likelihood that the attack can be successfully executed, even when memory is physically removed and placed in an identical system where the system’s configuration may enable booting to the malicious tools. - -Because of these factors, this type of attack is rarely possible on modern devices. Even in cases where the risk factors exist on legacy devices, attackers will find the attack unreliable. For detailed info about the practical uses for forensic memory acquisition and the factors that make a computer vulnerable or resistant to memory remanence attacks, read [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078). - -The BitLocker pre-boot authentication feature can successfully mitigate memory remanence attacks on most devices, but you can also mitigate such attacks by protecting the system UEFI or BIOS and prevent the PC from booting from external media (such as a USB flash drive or DVD). The latter option is often a better choice, because it provides sufficient protection without inconveniencing users with pre-boot authentication. - -## See also - -- [BitLocker countermeasures](bitlocker-countermeasures.md) -- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) -- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) -- [BitLocker overview](bitlocker-overview.md) diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 80cbbf5505..23eb4f8be3 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -68,7 +68,7 @@ The TPM can be used to protect certificates and RSA keys. The TPM key storage pr ## TPM Cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/). ## Physical presence interface @@ -144,6 +144,6 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/) - [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) \ No newline at end of file +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index efc971485b..7e687dd04c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1,42 +1,24 @@ # [Threat protection](index.md) - - - - - ## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) -### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md) -####Get started -##### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md) -##### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) -##### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) -##### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) -##### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) -#### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md) -##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) -###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune) -###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) -###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) -##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) -##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md) -##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -#### [Understand the portal ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) -##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) -##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md) -##### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md) -##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) -####Investigate and remediate threats -#####Alerts queue +### [Overview](windows-defender-atp/overview.md) +#### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md) +##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md) +###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md) +###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md) +##### [Application control](windows-defender-application-control/windows-defender-application-control.md) +##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) +##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) +##### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md) +##### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) +##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) +#### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +#### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md) +##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md) + + +##### Alerts queue ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) ###### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) @@ -45,11 +27,8 @@ ###### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md) ###### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md) ###### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md) - - - - -#####Machines list + +##### Machines list ###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) ###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) ###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) @@ -69,7 +48,7 @@ ####### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) ####### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) ####### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) - + ###### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md) ####### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) ####### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) @@ -77,18 +56,234 @@ ####### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) ####### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ####### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -######## [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) -######## [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) -######## [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +####### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) +####### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) +####### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) + -###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md) -####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md) -####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +#### [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md) +##### [Learn about the automated investigation and remediation dashboard](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md) -#### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md) -#### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) -####API and SIEM support +#### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md) +##### [Threat analytics](windows-defender-atp/threat-analytics.md) +###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +#### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md) +##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) +###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md) +###### [Advanced hunting query language best practices](windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +##### [Custom detections](windows-defender-atp/overview-custom-detections.md) +###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md) + + +#### [Management and APIs](windows-defender-atp/management-apis.md) +##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) +######Actor +####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) +####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +######Alerts +####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) +####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +#######Domain +######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) +######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +######File +####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) +####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) +####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) +####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) +####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) + +######IP +####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) +####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) +######Machines +####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) +####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) +####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) +####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) +####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) +####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) +####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) + +######User +####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) +####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) + + +##### [Managed service provider provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) + +#### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md) +##### [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) +##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md) + + + +#### [Portal overview](windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md) + + + +### [Get started](windows-defender-atp/get-started.md) +#### [Minimum requirements](windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) +#### [Validate licensing and complete setup](windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md) +#### [Preview features](windows-defender-atp/preview-windows-defender-advanced-threat-protection.md) +#### [Data storage and privacy](windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md) +#### [Assign user access to the portal](windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md) + +#### [Evaluate Windows Defender ATP](windows-defender-atp/evaluate-atp.md) +#####Evaluate attack surface reduction +###### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) +###### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md) +###### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md) +###### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md) +###### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md) +###### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md) +###### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) +##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) + +#### [Access the Windows Defender Security Center Community Center](windows-defender-atp/community-windows-defender-advanced-threat-protection.md) + +### [Configure and manage capabilities](windows-defender-atp/onboard.md) +#### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) +##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md) +###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md) +##### [Application control](windows-defender-application-control/windows-defender-application-control.md) +##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md) +###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md) +###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) +##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md) +##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) +###### [Customize controlled folder access](windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md) +##### [Attack surface reduction controls](windows-defender-exploit-guard/enable-attack-surface-reduction.md) +###### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md) +##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) + + + +#### [Configure next generation protection](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) +##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) +###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) +###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) +###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) +###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) +##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) +###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) +###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) +##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) +##### [Antivirus compatibility](windows-defender-antivirus/windows-defender-antivirus-compatibility.md) +###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) + +##### [Deploy, manage updates, and report on antivirus](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) +###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md) +####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) +###### [Report on antivirus protection](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) +####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md) +###### [Manage updates and apply baselines](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) +####### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) +####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) +####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) +####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) +####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) + +##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) +####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) +###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) +###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) +###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) +###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) +###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) +##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +##### [Manage antivirus in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) +###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) +###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) +###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) +###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) + +##### [Manage scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) +####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) +###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) +###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) +###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) +###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) +###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) +###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +##### [Manage next generation protection in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) +###### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) +###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) +###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) +###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) + + +#### [Configure Secure score dashboard security controls](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) + + +#### Management and API support +##### [Onboard machines](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) +###### [Onboard previous versions of Windows](windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md) +###### [Onboard Windows 10 machines](windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md) +####### [Onboard machines using Group Policy](windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +####### [Onboard machines using System Center Configuration Manager](windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +####### [Onboard machines using Mobile Device Management tools](windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +######## [Onboard machines using Microsoft Intune](windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune) +####### [Onboard machines using a local script](windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md) +####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +###### [Onboard servers](windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md) +###### [Onboard non-Windows machines](windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +###### [Run a detection test on a newly onboarded machine](windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md) +###### [Run simulated attacks on machines](windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md) +###### [Configure proxy and Internet connectivity settings](windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) + +##### API for custom alerts +###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) +####### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) +####### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) +####### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) +####### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) +####### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) +####### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) + + ##### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) ###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) ###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) @@ -97,264 +292,120 @@ ###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) ###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) -##### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) -###### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) -###### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) -###### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) -###### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) -#######Actor -######## [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) -######## [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -#######Alerts -######## [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) -######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -######## [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -######## [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -######## [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -########Domain -######### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -######### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) -######### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) -######### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) -#######File -######## [Block file](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) -######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) -######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) -######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) -######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) -######## [Get FileActions collection](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) -######## [Unblock file](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) +##### Reporting +###### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) -#######IP -######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) -######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) -######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) -#######Machines -######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) -######## [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -######## [Get FileMachineAction object](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -######## [Get FileMachineActions collection](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) -######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -######## [Get MachineAction object](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) -######## [Get MachineActions collection](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) -######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -######## [Get package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) -######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) -######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) -######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -######## [Request sample](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) -######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) -######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) -######## [Stop and quarantine file](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) +##### Role-based access control +###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) +####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) +####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md) +######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) + + +##### [Configure managed security service provider (MSSP) support](windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md) + + +#### Configure Microsoft threat protection integration +##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md) +##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md) -#######User -######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -######## [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) -######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) -######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) - -####Reporting -##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) - -####Check service health and sensor state -##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) -##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) -##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) -##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) - - -####[Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) -#####General -###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md) -###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) -###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) -###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md) -###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) - - -#####Permissions -###### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md) -###### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md) - -#####APIs -###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) +#### [Configure Windows Defender Security Center settings](windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md) +##### General +###### [Update data retention settings](windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md) +###### [Configure alert notifications](windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md) +###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) +###### [Enable Secure score security controls](windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md) +###### [Configure advanced features](windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md) + +##### Permissions +###### [Use basic permissions to access the portal](windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md) +###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) +####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) +####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md) +######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) + +##### APIs +###### [Enable Threat intel](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) + #####Rules -###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md) -###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) - +###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md) +###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) +###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) + #####Machine management -###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md) +###### [Onboarding machines](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) +###### [Offboarding machines](windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md) + +##### [Configure Windows Defender Security Center time zone settings](windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md) + -#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md) +### [Troubleshoot Windows Defender ATP](windows-defender-atp/troubleshoot-wdatp.md) +####Troubleshoot sensor state +##### [Check sensor state](windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md) +##### [Fix unhealthy sensors](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +##### [Inactive machines](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) +##### [Misconfigured machines](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) +##### [Review sensor events and errors on machines with Event Viewer](windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md) -#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) -#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) -##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) -#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) +#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md) +##### [Check service health](windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md) -### [Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) -#### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) -#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md) - -#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md) -##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md) - - -#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md) - - -#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md) -##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) -###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) -##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md) -###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) -##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md) -###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md) -###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md) -###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md) -###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md) -###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md) - - -#### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md) -##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -###### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md) -###### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md) -###### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md) -###### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md) -###### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md) -##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md) -###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md) -##### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md) -###### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md) -###### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md) -###### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md) - - -#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md) -##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md) -###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md) -##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md) -##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md) -##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md) -##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md) -##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md) -##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md) -#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md) - - -##### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md) - - - -##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md) -###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md) -###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md) -###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md) -###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) -###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) - - - - - - - - - - - - - - - - -### [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md) -#### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md) -##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md) -##### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md) -#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md) -##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md) -##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md) -##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md) -##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md) -###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) -##### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md) -###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md) -#### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) -##### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) -##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) -##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) -##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md) -#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) -##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md) -##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md) -##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md) -#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) -##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md) -##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md) -##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md) - - - - -### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md) - - - - - - -### [Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md) -#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md) -#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) -#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md) -#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md) -#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md) +####Troubleshoot attack surface reduction +##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md) +##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md) + +#### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) ## [Security intelligence](intelligence/index.md) +### [Understand malware & other threats](intelligence/understanding-malware.md) +#### [Prevent malware infection](intelligence/prevent-malware-infection.md) +#### [Malware names](intelligence/malware-naming.md) +#### [Coin miners](intelligence/coinminer-malware.md) +#### [Exploits and exploit kits](intelligence/exploits-malware.md) +#### [Macro malware](intelligence/macro-malware.md) +#### [Phishing](intelligence/phishing.md) +#### [Ransomware](intelligence/ransomware-malware.md) +#### [Rootkits](intelligence/rootkits-malware.md) +#### [Supply chain attacks](intelligence/supply-chain-malware.md) +#### [Tech support scams](intelligence/support-scams.md) +#### [Trojans](intelligence/trojans-malware.md) +#### [Unwanted software](intelligence/unwanted-software.md) +#### [Worms](intelligence/worms-malware.md) +### [How Microsoft identifies malware and PUA](intelligence/criteria.md) +### [Submit files for analysis](intelligence/submission-guide.md) +### [Safety Scanner download](intelligence/safety-scanner-download.md) +### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md) +#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md) +#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md) +#### [Coordinated malware eradication](intelligence/coordinated-malware-eradication.md) +### [Information for developers](intelligence/developer-info.md) +#### [Software developer FAQ](intelligence/developer-faq.md) +#### [Software developer resources](intelligence/developer-resources.md) + +## More Windows 10 security -## Other security features ### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md) #### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md) #### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md) -#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md) +#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center/wdsc-windows-10-in-s-mode.md) #### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md) -#### [Account protection](windows-defender-security-center\wdsc-account-protection.md) -#### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md) -#### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md) -#### [Device security](windows-defender-security-center\wdsc-device-security.md) -#### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md) -#### [Family options](windows-defender-security-center\wdsc-family-options.md) +#### [Account protection](windows-defender-security-center/wdsc-account-protection.md) +#### [Firewall and network protection](windows-defender-security-center/wdsc-firewall-network-protection.md) +#### [App and browser control](windows-defender-security-center/wdsc-app-browser-control.md) +#### [Device security](windows-defender-security-center/wdsc-device-security.md) +#### [Device performance and health](windows-defender-security-center/wdsc-device-performance-health.md) +#### [Family options](windows-defender-security-center/wdsc-family-options.md) -### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) -#### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) -#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) +### [SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) +#### [SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) +#### [Set up and use SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) @@ -438,7 +489,7 @@ ####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md) ####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md) ####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md) -####### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md) +####### [Event 4764 S: A group�s type was changed.](auditing/event-4764.md) ####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md) ###### [Audit User Account Management](auditing/audit-user-account-management.md) ####### [Event 4720 S: A user account was created.](auditing/event-4720.md) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index b45cf1d6fb..5fdb1739c0 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md index ba042cd294..00ef9a3f98 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index d1512606c8..8601d26ede 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index 9c98ed3fe1..7e40077bc3 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index d772192059..e84f020843 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 07/25/2018 --- diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 831cb9ee9c..1e4cf0bc0a 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 07/16/2018 --- diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md index cd1ac383af..dc4a17983a 100644 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ b/windows/security/threat-protection/auditing/audit-application-generated.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md index 3a2fc3505b..54a24aeabd 100644 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ b/windows/security/threat-protection/auditing/audit-application-group-management.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index b0735ee0ca..1adb598a89 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md index 6046ee0176..e09948e6a9 100644 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index 5641c9c572..ec84ce1cdf 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md index 024a2259ca..f06923aec9 100644 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md index 9b92554529..db60342744 100644 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ b/windows/security/threat-protection/auditing/audit-certification-services.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md index 62a01d3e22..5b3570b704 100644 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md index 95709c4776..9f9d0cb8f4 100644 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ b/windows/security/threat-protection/auditing/audit-credential-validation.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md index ffc71c1158..0f25203d5d 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index 72734d1a85..90ea83f0c5 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index e30c56fdb8..76de4e61d1 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index c454d36c11..d7120d4c5c 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md index db82ae0c8d..3271a1b5fb 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md index 82e9d57a4e..1d9c77ad06 100644 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md index 9b19a0afa1..4b03a1f4a7 100644 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md index caf010e6a3..4501f8e8f7 100644 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ b/windows/security/threat-protection/auditing/audit-file-share.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md index c7b96db83b..3195fd4e72 100644 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ b/windows/security/threat-protection/auditing/audit-file-system.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md index ea50e9d98c..9160d63777 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index 56eb441cdd..15e570608f 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index f56147cb4c..cd4c887700 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index d35bf2344b..2c77196a27 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md index a6c151bdfa..b0c1442c91 100644 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index 698d063e78..1907464fec 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 40cec9f6a3..41835f6b58 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index ce0f818a58..af0f1a911e 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index 38545197ce..3931177329 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md index 89da3df49c..c27b4bdf2d 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index bab3c845c3..f8827a3cf1 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md index 9fa2b580ab..d61d5386f0 100644 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ b/windows/security/threat-protection/auditing/audit-kernel-object.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index 9c9b76a014..347351c797 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 07/16/2018 --- diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md index a5e0c95234..e57df86b17 100644 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ b/windows/security/threat-protection/auditing/audit-logon.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md index 3fb772b9df..8d79ebdaaa 100644 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md index 11287bd65d..4cd445c0e1 100644 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index 1d4cac3e10..29a2bf062c 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 522cbbbda0..212599c38d 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index a4e42c2134..0dada7cc0f 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md index 20c7e57792..d1c84998ab 100644 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md index 7a65861136..a100b7f4f4 100644 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 05/29/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md index caedc86292..3e9078765c 100644 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 7bbf1b96ea..a494cdd7b4 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md index 66a9f4fa1a..a9e385b322 100644 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ b/windows/security/threat-protection/auditing/audit-other-system-events.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md index 3e7f6054e9..08dd852a74 100644 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 91ce6e4269..65d9725fb1 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md index 26bdfd3335..ff6e0c7eb7 100644 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ b/windows/security/threat-protection/auditing/audit-process-termination.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 89c6e2069e..463a01e1f6 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index 40a3de6168..d4abe3507f 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md index 68fe08ab59..a091eac795 100644 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ b/windows/security/threat-protection/auditing/audit-rpc-events.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index 68cbdf8de2..dc8b55abd1 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index 20caac1504..2e14934b51 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md index 82b7442603..29afe92c74 100644 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ b/windows/security/threat-protection/auditing/audit-security-state-change.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md index dd197405eb..695ee99db2 100644 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md index fee5387d6e..d0572e5d91 100644 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md index 4e565482ce..318d0c7c8d 100644 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ b/windows/security/threat-protection/auditing/audit-special-logon.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md index d1ab5a9287..27548edf0f 100644 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ b/windows/security/threat-protection/auditing/audit-system-integrity.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md index db25e022e7..8c7ee885fc 100644 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ b/windows/security/threat-protection/auditing/audit-user-account-management.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md index d7a6965f65..dbc39068f4 100644 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md index fb3376bbfa..94c4b462f1 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 927836fa61..e1ad77ba01 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md index c8c80ce9d6..c0a52a4dc4 100644 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index 64857a7afb..9f3210eae2 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md index 38bb2e466d..8492b5fb62 100644 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md index 19b0d6e645..9ff920eda5 100644 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md index 8aa5da56c9..74c74bd180 100644 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index af9ea206a6..1282c18871 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md index 06fa199863..2cc15b14cb 100644 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index 9ad2959a47..31ba69f0e1 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index 933f85b9dc..6f7578b433 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md index 7fbe7ab069..6b329771a8 100644 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md index ac6f19eefe..13ae345c28 100644 --- a/windows/security/threat-protection/auditing/event-1100.md +++ b/windows/security/threat-protection/auditing/event-1100.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index 6a067516da..61d48236a0 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index 0a8546990f..d6928796bc 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index a8476fff7b..3fb741e93d 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 017af286c0..53a761ddd3 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 1e57fd65bd..40e4b625b8 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md index 58520e1319..97ce41dd27 100644 --- a/windows/security/threat-protection/auditing/event-4610.md +++ b/windows/security/threat-protection/auditing/event-4610.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md index 38c317122b..97cefc2edc 100644 --- a/windows/security/threat-protection/auditing/event-4611.md +++ b/windows/security/threat-protection/auditing/event-4611.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 10c759d27c..1d0a8fc3ac 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md index fca623f333..83b5ae6f58 100644 --- a/windows/security/threat-protection/auditing/event-4614.md +++ b/windows/security/threat-protection/auditing/event-4614.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 3b59808bcf..37c253f26f 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 58f6621355..61bcb648f9 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md index 7ad5986151..624692202b 100644 --- a/windows/security/threat-protection/auditing/event-4618.md +++ b/windows/security/threat-protection/auditing/event-4618.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md index dfa9094672..b1e1638791 100644 --- a/windows/security/threat-protection/auditing/event-4621.md +++ b/windows/security/threat-protection/auditing/event-4621.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md index 489d82cb44..b8b8d972af 100644 --- a/windows/security/threat-protection/auditing/event-4622.md +++ b/windows/security/threat-protection/auditing/event-4622.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index bb4d0dfde8..8ee6f8a44b 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index a156058e1d..f06d559a05 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index d127aa0e92..804c229ae3 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index 7b5753c8a2..86c34c7909 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md index 4181c69829..9f05521e12 100644 --- a/windows/security/threat-protection/auditing/event-4634.md +++ b/windows/security/threat-protection/auditing/event-4634.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 11/20/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md index f302b30dcb..f3f4af3202 100644 --- a/windows/security/threat-protection/auditing/event-4647.md +++ b/windows/security/threat-protection/auditing/event-4647.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index c2d202fde2..1614e05097 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md index f9e9bf8138..3b378b7682 100644 --- a/windows/security/threat-protection/auditing/event-4649.md +++ b/windows/security/threat-protection/auditing/event-4649.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md index 7410f05971..b009f0d8eb 100644 --- a/windows/security/threat-protection/auditing/event-4656.md +++ b/windows/security/threat-protection/auditing/event-4656.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md index 52063e6430..06375a60e0 100644 --- a/windows/security/threat-protection/auditing/event-4657.md +++ b/windows/security/threat-protection/auditing/event-4657.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md index 49fd39d667..5ceeb9a280 100644 --- a/windows/security/threat-protection/auditing/event-4658.md +++ b/windows/security/threat-protection/auditing/event-4658.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md index 19abcd9404..1d464049d7 100644 --- a/windows/security/threat-protection/auditing/event-4660.md +++ b/windows/security/threat-protection/auditing/event-4660.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index 2a841eb423..fab58ae85f 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md index 76d00d60be..945efabaa8 100644 --- a/windows/security/threat-protection/auditing/event-4662.md +++ b/windows/security/threat-protection/auditing/event-4662.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md index bb6612c203..0896af005f 100644 --- a/windows/security/threat-protection/auditing/event-4663.md +++ b/windows/security/threat-protection/auditing/event-4663.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md index 69474b2b12..23ee991c1a 100644 --- a/windows/security/threat-protection/auditing/event-4664.md +++ b/windows/security/threat-protection/auditing/event-4664.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 4c4b0f7b46..496c9157ff 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md index bb9b80ab81..e8f42c6afa 100644 --- a/windows/security/threat-protection/auditing/event-4671.md +++ b/windows/security/threat-protection/auditing/event-4671.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 5cc1a63520..04962bc557 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index f9573a09ae..8749baa01b 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index bca2e5f52e..58934e4de7 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md index 421b82fe4c..f5946c9298 100644 --- a/windows/security/threat-protection/auditing/event-4675.md +++ b/windows/security/threat-protection/auditing/event-4675.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 0b7635c328..eef6cadbee 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md index d7f928b85c..dceac91e41 100644 --- a/windows/security/threat-protection/auditing/event-4689.md +++ b/windows/security/threat-protection/auditing/event-4689.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md index 708ad3f4b2..88b3db7b2f 100644 --- a/windows/security/threat-protection/auditing/event-4690.md +++ b/windows/security/threat-protection/auditing/event-4690.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index 5a62c9c916..2ccb4ed0a9 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md index 81042229eb..e1eaefb348 100644 --- a/windows/security/threat-protection/auditing/event-4692.md +++ b/windows/security/threat-protection/auditing/event-4692.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md index 139eeb2b7b..e9f776d0ca 100644 --- a/windows/security/threat-protection/auditing/event-4693.md +++ b/windows/security/threat-protection/auditing/event-4693.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md index 0818b64f14..b8b2d4fde7 100644 --- a/windows/security/threat-protection/auditing/event-4694.md +++ b/windows/security/threat-protection/auditing/event-4694.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md index 79b6f0de79..5bc050e752 100644 --- a/windows/security/threat-protection/auditing/event-4695.md +++ b/windows/security/threat-protection/auditing/event-4695.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 9f33773c45..94e30520f0 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index bf57e86499..608cf4412e 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md index b5a3c2eb05..0ea9a8bfcb 100644 --- a/windows/security/threat-protection/auditing/event-4698.md +++ b/windows/security/threat-protection/auditing/event-4698.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md index 43d2d4038a..f4deaf1e26 100644 --- a/windows/security/threat-protection/auditing/event-4699.md +++ b/windows/security/threat-protection/auditing/event-4699.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md index a428e5d220..b6550f63e8 100644 --- a/windows/security/threat-protection/auditing/event-4700.md +++ b/windows/security/threat-protection/auditing/event-4700.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md index 8e7d004bfd..66c0fdbe24 100644 --- a/windows/security/threat-protection/auditing/event-4701.md +++ b/windows/security/threat-protection/auditing/event-4701.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md index f4965a440b..9b344d520b 100644 --- a/windows/security/threat-protection/auditing/event-4702.md +++ b/windows/security/threat-protection/auditing/event-4702.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index 34dac9b054..3a33b7fb1a 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index e9d8f04685..2f3c13af0b 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 83bd4b2090..9411db16ba 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md index 00f7c4abc7..b0d1108d01 100644 --- a/windows/security/threat-protection/auditing/event-4706.md +++ b/windows/security/threat-protection/auditing/event-4706.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md index ef7889ed6a..85c6887b71 100644 --- a/windows/security/threat-protection/auditing/event-4707.md +++ b/windows/security/threat-protection/auditing/event-4707.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md index b73f98ed27..f8c17d0d23 100644 --- a/windows/security/threat-protection/auditing/event-4713.md +++ b/windows/security/threat-protection/auditing/event-4713.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md index 939496efb7..45e1db3e65 100644 --- a/windows/security/threat-protection/auditing/event-4714.md +++ b/windows/security/threat-protection/auditing/event-4714.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index 3c44c43d38..31b4ed376d 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index 627e3b0995..6389cea265 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index 586027ec44..4921434446 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index 2717038a73..db47f55f93 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md index 1da37f1754..d67898fd2e 100644 --- a/windows/security/threat-protection/auditing/event-4719.md +++ b/windows/security/threat-protection/auditing/event-4719.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index 8fe04dc1e8..c182112703 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md index 8cdab0a747..261f9cb975 100644 --- a/windows/security/threat-protection/auditing/event-4722.md +++ b/windows/security/threat-protection/auditing/event-4722.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md index 2d4fc27242..d0bea5eb68 100644 --- a/windows/security/threat-protection/auditing/event-4723.md +++ b/windows/security/threat-protection/auditing/event-4723.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md index ccecd029bd..b3913f0cbe 100644 --- a/windows/security/threat-protection/auditing/event-4724.md +++ b/windows/security/threat-protection/auditing/event-4724.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md index d98ecec63c..72a9797d2d 100644 --- a/windows/security/threat-protection/auditing/event-4725.md +++ b/windows/security/threat-protection/auditing/event-4725.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md index 00b157f1a0..b3dfd1467b 100644 --- a/windows/security/threat-protection/auditing/event-4726.md +++ b/windows/security/threat-protection/auditing/event-4726.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md index acf70d448c..9f840372e7 100644 --- a/windows/security/threat-protection/auditing/event-4731.md +++ b/windows/security/threat-protection/auditing/event-4731.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index d7000fb020..b032541291 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index a5b171538f..5803a7a96d 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md index cdacfc1a47..336f98cd2d 100644 --- a/windows/security/threat-protection/auditing/event-4734.md +++ b/windows/security/threat-protection/auditing/event-4734.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md index 104f37e498..ea6a0f906b 100644 --- a/windows/security/threat-protection/auditing/event-4735.md +++ b/windows/security/threat-protection/auditing/event-4735.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 0086eae7fe..6a0c6f7fec 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md index d1a83fc01d..b4ce931ca3 100644 --- a/windows/security/threat-protection/auditing/event-4739.md +++ b/windows/security/threat-protection/auditing/event-4739.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md index 74ca5aa2d4..766edfb035 100644 --- a/windows/security/threat-protection/auditing/event-4740.md +++ b/windows/security/threat-protection/auditing/event-4740.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index ae5cc3aad8..9fcabb2b06 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 3dbff53ca0..81c06e259a 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md index cf8fe2de93..a6a08ce668 100644 --- a/windows/security/threat-protection/auditing/event-4743.md +++ b/windows/security/threat-protection/auditing/event-4743.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md index 6fa7e4ad47..adf348858e 100644 --- a/windows/security/threat-protection/auditing/event-4749.md +++ b/windows/security/threat-protection/auditing/event-4749.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md index 1433514327..c6f9458b13 100644 --- a/windows/security/threat-protection/auditing/event-4750.md +++ b/windows/security/threat-protection/auditing/event-4750.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index bccd6fcfd1..a54bc67494 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index e8aba8e488..67b6917c57 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md index 8723b71531..6f7ea445cc 100644 --- a/windows/security/threat-protection/auditing/event-4753.md +++ b/windows/security/threat-protection/auditing/event-4753.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md index 2d2eccc064..914faaec85 100644 --- a/windows/security/threat-protection/auditing/event-4764.md +++ b/windows/security/threat-protection/auditing/event-4764.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md index 5c9dbc3e45..9930e1add7 100644 --- a/windows/security/threat-protection/auditing/event-4765.md +++ b/windows/security/threat-protection/auditing/event-4765.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md index 8d5dcd247b..03e5f98777 100644 --- a/windows/security/threat-protection/auditing/event-4766.md +++ b/windows/security/threat-protection/auditing/event-4766.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md index bbce5d97f8..e9c94bc2b7 100644 --- a/windows/security/threat-protection/auditing/event-4767.md +++ b/windows/security/threat-protection/auditing/event-4767.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 142326fd82..dfad68c114 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 9c8f497da1..ddc3fc91bd 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md index cfc91281f1..d1fbaec511 100644 --- a/windows/security/threat-protection/auditing/event-4770.md +++ b/windows/security/threat-protection/auditing/event-4770.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index ebe86ace57..34add04027 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md index 612b71e2da..3bb2aa354c 100644 --- a/windows/security/threat-protection/auditing/event-4772.md +++ b/windows/security/threat-protection/auditing/event-4772.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md index 1f809ff2f0..8a65a7df8a 100644 --- a/windows/security/threat-protection/auditing/event-4773.md +++ b/windows/security/threat-protection/auditing/event-4773.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md index e8304521fa..65edca2761 100644 --- a/windows/security/threat-protection/auditing/event-4774.md +++ b/windows/security/threat-protection/auditing/event-4774.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md index b8e498ff1a..473697a68f 100644 --- a/windows/security/threat-protection/auditing/event-4775.md +++ b/windows/security/threat-protection/auditing/event-4775.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 17c5196837..ef04b9a13e 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md index 17d6d60001..ec54750c71 100644 --- a/windows/security/threat-protection/auditing/event-4777.md +++ b/windows/security/threat-protection/auditing/event-4777.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 6b9b0ebb67..caa301af26 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 27a1850d12..48da89946f 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md index ffaeeb0a6f..26d14f55d5 100644 --- a/windows/security/threat-protection/auditing/event-4780.md +++ b/windows/security/threat-protection/auditing/event-4780.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md index 653ccce05c..be9c51ab52 100644 --- a/windows/security/threat-protection/auditing/event-4781.md +++ b/windows/security/threat-protection/auditing/event-4781.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index 72fb865981..195c2cf4df 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index bcd5b48e69..b0ac045f2f 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md index 20004e2404..cd85dc1d77 100644 --- a/windows/security/threat-protection/auditing/event-4794.md +++ b/windows/security/threat-protection/auditing/event-4794.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md index dfb877c452..c432cb8c08 100644 --- a/windows/security/threat-protection/auditing/event-4798.md +++ b/windows/security/threat-protection/auditing/event-4798.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md index 5a93e06782..1f126c2840 100644 --- a/windows/security/threat-protection/auditing/event-4799.md +++ b/windows/security/threat-protection/auditing/event-4799.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md index 36e68e0d64..1d4ef520e5 100644 --- a/windows/security/threat-protection/auditing/event-4800.md +++ b/windows/security/threat-protection/auditing/event-4800.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md index 58137aaf46..7681ec1773 100644 --- a/windows/security/threat-protection/auditing/event-4801.md +++ b/windows/security/threat-protection/auditing/event-4801.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md index 7947029272..f984fd6753 100644 --- a/windows/security/threat-protection/auditing/event-4802.md +++ b/windows/security/threat-protection/auditing/event-4802.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md index f2d01eac46..f857dd4f57 100644 --- a/windows/security/threat-protection/auditing/event-4803.md +++ b/windows/security/threat-protection/auditing/event-4803.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md index aff1f0b7b8..1166587fae 100644 --- a/windows/security/threat-protection/auditing/event-4816.md +++ b/windows/security/threat-protection/auditing/event-4816.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index 90db648c38..ce42488f86 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md index 681c20e5ce..147dee2f2b 100644 --- a/windows/security/threat-protection/auditing/event-4818.md +++ b/windows/security/threat-protection/auditing/event-4818.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md index 945ae256a1..6b7f2516b5 100644 --- a/windows/security/threat-protection/auditing/event-4819.md +++ b/windows/security/threat-protection/auditing/event-4819.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index 02fc2b2dbe..d3a1cf34e3 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index 43d6cf33bb..a4729e4103 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md index 6594212812..843d1542b6 100644 --- a/windows/security/threat-protection/auditing/event-4865.md +++ b/windows/security/threat-protection/auditing/event-4865.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md index 5cf74949cb..bf32d2daa5 100644 --- a/windows/security/threat-protection/auditing/event-4866.md +++ b/windows/security/threat-protection/auditing/event-4866.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md index 10367c56b8..cc0c449a75 100644 --- a/windows/security/threat-protection/auditing/event-4867.md +++ b/windows/security/threat-protection/auditing/event-4867.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md index c94bd3c5bb..9a59309492 100644 --- a/windows/security/threat-protection/auditing/event-4902.md +++ b/windows/security/threat-protection/auditing/event-4902.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md index 4b1b1d10b6..c529ad4a45 100644 --- a/windows/security/threat-protection/auditing/event-4904.md +++ b/windows/security/threat-protection/auditing/event-4904.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md index 91c33a149b..5cdb7f8d3c 100644 --- a/windows/security/threat-protection/auditing/event-4905.md +++ b/windows/security/threat-protection/auditing/event-4905.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md index 09c93dd96b..7ad2014e0c 100644 --- a/windows/security/threat-protection/auditing/event-4906.md +++ b/windows/security/threat-protection/auditing/event-4906.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index 6770563571..bd687db23f 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index 1228c676e7..91100cee21 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md index 256b121950..02c3e26b35 100644 --- a/windows/security/threat-protection/auditing/event-4909.md +++ b/windows/security/threat-protection/auditing/event-4909.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md index 42981b3496..fcf06907b2 100644 --- a/windows/security/threat-protection/auditing/event-4910.md +++ b/windows/security/threat-protection/auditing/event-4910.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index a906f906e4..a613fe1a37 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index a905f4b664..87d587596b 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 53a5d024c1..8c3d47db80 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 4c84b51785..615d55926f 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index 540f77ac0f..f1e2e9044a 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index f04e61bab7..7063936812 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index 1ab43a9df6..ef59fb97f9 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md index 888d65a13f..40f8fe939a 100644 --- a/windows/security/threat-protection/auditing/event-4932.md +++ b/windows/security/threat-protection/auditing/event-4932.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md index a444061003..f1097f928f 100644 --- a/windows/security/threat-protection/auditing/event-4933.md +++ b/windows/security/threat-protection/auditing/event-4933.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md index 7576f09c73..7df893eab6 100644 --- a/windows/security/threat-protection/auditing/event-4934.md +++ b/windows/security/threat-protection/auditing/event-4934.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md index c04cd3c3f6..d29e4f36f5 100644 --- a/windows/security/threat-protection/auditing/event-4935.md +++ b/windows/security/threat-protection/auditing/event-4935.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md index 1a6fe8601e..92b3e6caf5 100644 --- a/windows/security/threat-protection/auditing/event-4936.md +++ b/windows/security/threat-protection/auditing/event-4936.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md index 05fcc3a155..2b02731d51 100644 --- a/windows/security/threat-protection/auditing/event-4937.md +++ b/windows/security/threat-protection/auditing/event-4937.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md index b1e940a227..b4169b5915 100644 --- a/windows/security/threat-protection/auditing/event-4944.md +++ b/windows/security/threat-protection/auditing/event-4944.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index e75fd5b89d..c759afa1e6 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 2ee2573635..9c67d305e2 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md index f6e3914c39..bb9a592ca3 100644 --- a/windows/security/threat-protection/auditing/event-4947.md +++ b/windows/security/threat-protection/auditing/event-4947.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 75dff8ca6c..2a8a1a7a9a 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md index 465f4e4f8e..0454afa9ca 100644 --- a/windows/security/threat-protection/auditing/event-4949.md +++ b/windows/security/threat-protection/auditing/event-4949.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index 34f2003512..fd666fc369 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index 661062f902..a83b9f12c9 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md index b1c36d493f..dfa3de4c4f 100644 --- a/windows/security/threat-protection/auditing/event-4952.md +++ b/windows/security/threat-protection/auditing/event-4952.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index 2c36a9d208..d74e0ac560 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md index 73484f44b8..91e3c4833d 100644 --- a/windows/security/threat-protection/auditing/event-4954.md +++ b/windows/security/threat-protection/auditing/event-4954.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md index b244794b33..2c57e4c683 100644 --- a/windows/security/threat-protection/auditing/event-4956.md +++ b/windows/security/threat-protection/auditing/event-4956.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index 5b7eb9a592..135f54ed60 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index fa45d31733..e04a7c576b 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index 8e1b38f252..64d80d5bd4 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md index da38bc5ac3..b5ae0e52fc 100644 --- a/windows/security/threat-protection/auditing/event-4985.md +++ b/windows/security/threat-protection/auditing/event-4985.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md index e669caf386..41b9e70214 100644 --- a/windows/security/threat-protection/auditing/event-5024.md +++ b/windows/security/threat-protection/auditing/event-5024.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md index 8771cc7974..1fc4d75d56 100644 --- a/windows/security/threat-protection/auditing/event-5025.md +++ b/windows/security/threat-protection/auditing/event-5025.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md index 491f846ff8..369785a28c 100644 --- a/windows/security/threat-protection/auditing/event-5027.md +++ b/windows/security/threat-protection/auditing/event-5027.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md index 6042fef617..426fabfd91 100644 --- a/windows/security/threat-protection/auditing/event-5028.md +++ b/windows/security/threat-protection/auditing/event-5028.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md index daf0e0248e..b406c84f14 100644 --- a/windows/security/threat-protection/auditing/event-5029.md +++ b/windows/security/threat-protection/auditing/event-5029.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index bc11ab187c..48a65fb8f8 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index f19a1c644a..583721a9fe 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md index 6be54f3206..d15d9f16fa 100644 --- a/windows/security/threat-protection/auditing/event-5032.md +++ b/windows/security/threat-protection/auditing/event-5032.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md index 6742336fcb..75109ef8f3 100644 --- a/windows/security/threat-protection/auditing/event-5033.md +++ b/windows/security/threat-protection/auditing/event-5033.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md index 896fe4e94c..0ccd247148 100644 --- a/windows/security/threat-protection/auditing/event-5034.md +++ b/windows/security/threat-protection/auditing/event-5034.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md index e65b0680cd..175e4aadec 100644 --- a/windows/security/threat-protection/auditing/event-5035.md +++ b/windows/security/threat-protection/auditing/event-5035.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md index f05fd3be1c..bf4911fb3e 100644 --- a/windows/security/threat-protection/auditing/event-5037.md +++ b/windows/security/threat-protection/auditing/event-5037.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index ff00407e6e..3e6b0fb302 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index 49bab43d99..7b1ba2e281 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index cf147f0584..73f82089f2 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index 108eaf241b..be7ee92421 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 4b26c92088..55f1edb854 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index 50fdab44bf..c0b2c17fe8 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md index c723a6e639..cc890b0727 100644 --- a/windows/security/threat-protection/auditing/event-5059.md +++ b/windows/security/threat-protection/auditing/event-5059.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index 984126866d..be31414e13 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index bf37954b97..cbd18c4c2a 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md index 47e1402ebb..67b9d5b4e3 100644 --- a/windows/security/threat-protection/auditing/event-5062.md +++ b/windows/security/threat-protection/auditing/event-5062.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 54bc56bdc4..b5a82e84e3 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index c4d034a000..5ee606581a 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 8d81a7604f..ee4fae206d 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 25b595c19f..c37391a6df 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index d2fc40cdf7..4928e743c7 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index dd27edc08d..45904a6ef7 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index eece0a1b44..6f40c2d61f 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index 14bf2b591e..dde6756a49 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index be3cebc546..ac81516d45 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index 2811ea8260..68e3c16bf6 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 0b7bc8bdda..8f8025411c 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index ca1dcb8760..b949968635 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index e026048c46..aa0ea5013d 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index 3bba690ce9..d1a8d52a18 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index dade8d91b1..e031fd9dbd 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index 766455cb88..999f6f9f93 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 1ea7b1be36..905774bf44 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 756dad0627..ec8421bf74 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 77116b9355..c4461e26a3 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 05/29/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 8e64d233fb..08039b5ca0 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 05/29/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 918be364cf..3afbcf26df 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index d524a4bfcf..4864a283c9 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index 794e03728c..154a62f07a 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index 6a80984c62..ffd21c1282 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index 7bf096f3d4..9dd278c6a8 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index b4bf0b06ec..8662e186f2 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index a9eade92a4..bfeaa865c2 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index 252e41c447..6b91edfeb0 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index b1faa28a26..d3d62462e1 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index 3d4b26fdc0..3fdf553811 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index 8905c824d3..46f401b3a0 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index 9759e6d0c2..40919244b6 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index 5d2a1709d1..c55060acff 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index 3bd452b0c4..47e308e4b7 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index 73a1f15abe..d946f5bf63 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index 29bdb8e39c..b84d151c2d 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index 21fabc1686..7984ff5428 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index 65544e2603..0588eb54be 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 0a962eb85a..28a9434761 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index c17e01b947..180114aff2 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index fa696c09b1..c9dcc8b7e8 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 1b7b6cbe26..6001c97965 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index 5dd2b3ca8b..0c7df89384 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index aedaab33bb..91740aeefb 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index cfb77f2b3a..8846fca660 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 3d2cdad2e8..eb91491cd0 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 25ab43c57a..4a1a25539a 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index dc6488418a..28eef92c52 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index 8b687e9d61..2a7e910540 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index 7fc02c9412..7fc3ad0806 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index 1dcb6e90d7..8d55408ad9 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index 1317d12b70..ba34e7a26e 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index 682546cef4..1f54ca83b1 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index 133b879966..b5e0e99e03 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index 7cd9614b30..f1c92358f7 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 3fcc8e37dd..812286011b 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index d185fb6e2c..b2f31d721b 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index 3c7d9aafa9..da80a07bdc 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index e82d2c1cce..0b09ff7dee 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index bbd690551c..42d91b1f65 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index 6e9a3a1f54..e3eb81e79d 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index 3afa0bee64..a4ef6c15e8 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index d83ec4b427..7964ac323a 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index be5a2ae9c8..439c9c1b3f 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md index aeb23a691f..7aeb903d71 100644 --- a/windows/security/threat-protection/auditing/monitor-claim-types.md +++ b/windows/security/threat-protection/auditing/monitor-claim-types.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md index bec3b82cbc..c99548b8fd 100644 --- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index 36e3b8b71d..a6c28921e2 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 62aafeaa91..51df126e27 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index 65cfde2dab..94d8efbfe0 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index a2ce772425..27794f5009 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index 26240f4f07..3f49698848 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft - ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md index d67be8eaff..903d0ff8b6 100644 --- a/windows/security/threat-protection/auditing/other-events.md +++ b/windows/security/threat-protection/auditing/other-events.md @@ -5,6 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index 14b3b66408..8dee2ff70e 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md index 175aee073f..ae9bb6e67a 100644 --- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index 2ee5032e3b..8c5ba869ef 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 680a563621..f71f318cd8 100644 --- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index d491761c2a..5669c302b9 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 0c5a957bec..8b97c1b72b 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md index 79880c8d9b..dfa28ec177 100644 --- a/windows/security/threat-protection/change-history-for-threat-protection.md +++ b/windows/security/threat-protection/change-history-for-threat-protection.md @@ -1,81 +1,21 @@ --- -title: Change history for threat protection (Windows 10) -description: This topic lists new and updated topics in the Windows 10 threat protection documentation for Windows 10 and Windows 10 Mobile. +title: Change history for Windows Defender Advanced Threat Protection (Windows Defender ATP) +description: This topic lists new and updated topics in the WWindows Defender ATP content set. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 10/31/2017 +ms.date: 08/11/2018 +ms.localizationpriority: medium --- # Change history for threat protection -This topic lists new and updated topics in the [Threat protection](index.md) documentation. +This topic lists new and updated topics in the [Windows Defender ATP](windows-defender-atp/windows-defender-advanced-threat-protection.md) documentation. -## February 2018 +## August 2018 New or changed topic | Description ---------------------|------------ -[Security Compliance Toolkit](security-compliance-toolkit-10.md) | Added Office 2016 Security Baseline. -[Audit security group management](auditing/audit-security-group-management.md)| Added recommendation to audit Failure events. +[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform. -## January 2018 -|New or changed topic |Description | -|---------------------|------------| -|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. | - -## November 2017 -|New or changed topic |Description | -|---------------------|------------| -| [How to enable virtualization-based protection of code integrity](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI. | - - -## October 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md)|Added auto-recovery section. -|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md)|New topic for MAM using the Azure portal.| -| [TPM fundamentals](/windows/security/hardware-protection/tpm/tpm-fundamentals.md)
[BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. | -| [Windows security baselines](windows-security-baselines.md) | New. Security baselines added for Windows 10, versions 1703 and 1709. | -| [Security Compliance Toolkit](security-compliance-toolkit-10.md) | New. Includes a link to tools for managing security baselines. | -| [Get support for security baselines](get-support-for-security-baselines.md) | New. Explains supported versions for security baselines and other support questions. | - -## August 2017 -|New or changed topic |Description | -|---------------------|------------| -| [BitLocker: Management recommendations for enterprises](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. | -| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description | - - -## July 2017 -|New or changed topic |Description | -|---------------------|------------| -| [How Windows 10 uses the Trusted Platform Module](/windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md) | New TPM security topic. | - - -## June 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| -|[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| -|[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| -|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](\windows\security\information-protection\windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.| -|[Secure the Windows 10 boot process](/windows/security/hardware-protection/secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content | - -## May 2017 -|New or changed topic |Description | -|---------------------|------------| -| [BitLocker Group Policy settings](/windows/security//information-protection/bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. | -| [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) | New security policy setting. | - - -## March 2017 -|New or changed topic |Description | -|---------------------|------------| -|[How to collect Windows Information Protection (WIP) audit event logs](/windows/security//information-protection/windows-information-protection/collect-wip-audit-event-logs.md) |New | -|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](/windows/security//information-protection/windows-information-protection/mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. | -|[Limitations while using Windows Information Protection (WIP)](/windows/security//information-protection/windows-information-protection/limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.| -|[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New | -|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)|New | -|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)|New | -|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. | diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 805eeff313..b56a7a46b9 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -1,42 +1,42 @@ --- -title: Device Guard is the combination of Windows Defender Application Control and Virtualization-based security (Windows 10) +title: Device Guard is the combination of Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10) description: Device Guard consists of both hardware and software system integrity hardening capabilites that can be deployed separately or in combination. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: mdsakibMSFT -ms.date: 08/23/2018 +ms.date: 09/07/2018 --- -# Device Guard: Windows Defender Application Control Configurable Code Integrity and Virtualization-based security +# Device Guard: Windows Defender Application Control and virtualization-based protection of code integrity **Applies to** - Windows 10 - Windows Server 2016 -Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). +Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). -Configurable CI and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. Starting with the Windows 10 Anniversary Update (1607), this combined "configuration state" of Configurable CI and HVCI has been referred to as Windows Defender Device Guard. +Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been referred to as Windows Defender Device Guard. -Using Configurable CI to restrict devices to only autherized apps has these advantages over other solutions: +Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions: -1. Configurable CI policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. -2. Configurable CI allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. -3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy. -4. The entire configurable CI enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable CI or any other application control solution. +1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. +2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. +3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy. +4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution. ## (Re-)Introducing Windows Defender Application Control -When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable CI and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together. +When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable code integrity and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together. However, the use of the term Device Guard to describe this configuration state has unintentionally left an impression for many IT professionals that the two features were inexorably linked and could not be deployed separately. Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. -As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable CI either. -But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability. +As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. +But configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability. -Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable CI as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). +Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). We hope this change will help us better communicate options for adopting application control within an organization. Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device Guard will continue to be used as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original "Device Guard" locked down scenario for Windows 10 based devices. diff --git a/windows/security/threat-protection/images/AH_icon.png b/windows/security/threat-protection/images/AH_icon.png new file mode 100644 index 0000000000..ff9c97c86e Binary files /dev/null and b/windows/security/threat-protection/images/AH_icon.png differ diff --git a/windows/security/threat-protection/images/AR_icon.png b/windows/security/threat-protection/images/AR_icon.png new file mode 100644 index 0000000000..887498f7bc Binary files /dev/null and b/windows/security/threat-protection/images/AR_icon.png differ diff --git a/windows/security/threat-protection/images/ASR_icon.png b/windows/security/threat-protection/images/ASR_icon.png new file mode 100644 index 0000000000..28b5b3156f Binary files /dev/null and b/windows/security/threat-protection/images/ASR_icon.png differ diff --git a/windows/security/threat-protection/images/EDR_icon.png b/windows/security/threat-protection/images/EDR_icon.png new file mode 100644 index 0000000000..7e6df62bdf Binary files /dev/null and b/windows/security/threat-protection/images/EDR_icon.png differ diff --git a/windows/security/threat-protection/images/NGP_icon.png b/windows/security/threat-protection/images/NGP_icon.png new file mode 100644 index 0000000000..df1b70e041 Binary files /dev/null and b/windows/security/threat-protection/images/NGP_icon.png differ diff --git a/windows/security/threat-protection/images/SS_icon.png b/windows/security/threat-protection/images/SS_icon.png new file mode 100644 index 0000000000..95908405ce Binary files /dev/null and b/windows/security/threat-protection/images/SS_icon.png differ diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png index 60725244e5..8a67d190b7 100644 Binary files a/windows/security/threat-protection/images/wdatp-pillars2.png and b/windows/security/threat-protection/images/wdatp-pillars2.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index b589ac9a69..ba15937384 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,35 +1,131 @@ --- title: Threat Protection (Windows 10) -description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile. +description: Learn how Windows Defender ATP helps protect against threats. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 02/05/2018 +ms.localizationpriority: high +author: dansimp +ms.date: 09/03/2018 --- # Threat Protection Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. -![Windows Defender ATP components](images/wdatp-pillars2.png) + + + + + + + + + + + + + + + +

Attack surface reduction

Next generation protection

Endpoint detection and response

Automated investigation and remediation

Secure score

Advanced hunting
+
Management and APIs
Microsoft threat protection
+
-The following capabilities are available across multiple products that make up the Windows Defender ATP platform. + + **Attack surface reduction**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. +- [Hardware based isolation](windows-defender-atp/overview-hardware-based-isolation.md) +- [Application control](windows-defender-application-control/windows-defender-application-control.md) +- [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) +- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) +- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md) +- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) +- [Attack surface reduction controls](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) + + + **Next generation protection**
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. +- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) + + + + **Endpoint protection and response**
+ Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. -**Auto investigation and remediation**
+- [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) +- [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) +- [Response orchestration](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) +- [Forensic collection](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) +- [Threat intelligence](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Advanced detonation and analysis service](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) + + + +**Automated investigation and remediation**
In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -**Security posture**
-Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. +- [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md) +- [Threat remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md#how-threats-are-remediated) +- [Manage automated investigations](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md) +- [Analyze automated investigation](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md#analyze-automated-investigations) + + + +**Secure score**
+ +Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +- [Asset inventory](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) +- [Recommended improvement actions](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) +- [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md) +- [Threat analytics](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) + + + +**Advanced hunting**
+Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization. + +- [Custom detection](windows-defender-atp/overview-custom-detections.md) +- [Realtime and historical hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) + + + +**Management and APIs**
+Integrate Windows Defender Advanced Threat Protection into your existing workflows. +- [Onboarding](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) +- [API and SIEM integration](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) +- [Exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) +- [Role-based access control (RBAC)](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) +- [Reporting and trends](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) + + + +**Microsoft threat protection**
+Bring the power of Microsoft threat protection to your organization. +- [Conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) +- [O365 ATP](windows-defender-atp/threat-protection-integration.md) +- [Azure ATP](windows-defender-atp/threat-protection-integration.md) +- [Azure Security Center](windows-defender-atp/threat-protection-integration.md) +- [Skype for Business](windows-defender-atp/threat-protection-integration.md) +- [Microsoft Cloud App Security](windows-defender-atp/microsoft-cloud-app-security-integration.md) + + + + + + + + + diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 908368bb4b..ab053f956f 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -155,7 +155,7 @@ Our PUA protection aims to safeguard user productivity and ensure enjoyable Wind Microsoft uses specific categories and the category definitions to classify software as a PUA. -* **Browser advertising software:** Software that displays advertisements or promotions, or prompts the user to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages. +* **Advertising software:** Software that displays advertisements or promotions, or prompts the user to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages. * **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies. diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index 662286f60b..e984e5abab 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -1,6 +1,6 @@ --- title: Top scoring in industry antivirus tests -description: Industry antivirus tests landing page +description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis. keywords: security, malware, av-comparatives, av-test, av, antivirus ms.prod: w10 ms.mktglfcycl: secure @@ -8,16 +8,16 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +ms.date: 09/05/2018 --- # Top scoring in industry antivirus tests -[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) **consistently achieves high scores** from independent tests, displaying how it is a top choice in the antivirus market. +[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) **consistently achieves high scores** in independent tests, displaying how it is a top choice in the antivirus market. We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections. -In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). In many cases, customers might not even know they were protected. That's because Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) detects and stops malware at first sight by using predictive technologies, [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. +In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender AV is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender AV detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. > [!TIP] > Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports). @@ -27,24 +27,20 @@ In the real world, millions of devices are protected from cyberattacks every day ## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test -**[Analysis of the latest AV-TEST results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports)** -The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the protection category which has two scores: real world testing and the AV-TEST reference set (known as "prevalent malware"). +The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). -**Real-World testing** as defined by AV-TEST attempts to test protection against zero-day malware attacks, inclusive of web and email threats. +### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest** -**Prevalent malware** as defined by AV-TEST attempts to test detection of widespread and prevalent malware discovered in the last four weeks. + Windows Defender AV achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. With the latest results, Windows Defender AV has achieved 100% on 10 of the 12 most recent antivirus tests (combined "Real-World" and "Prevalent malware"). -The below scores are the results of AV-TEST's evaluations on **Windows Defender Antivirus**. +### March-April 2018 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) -|Month (2018)|Real-World test score| Prevalent malware test score | AV-TEST report| Microsoft analysis| -|---|---|---|---|---| -|January| 100.00%| 99.92%| [Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)| -|February| 100.00% | 100.00%|[Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)| -March |98.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)| -April|100.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)| -May|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) |[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**| -June|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/)|[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**| + Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). + +### January-February 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports) + +Windows Defender AV achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples tested. ||| |---|---| @@ -57,33 +53,26 @@ June|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/b AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions. -The **Real-World Protection Test (Enterprise)** as defined by AV-Comparatives attempts to evaluate the “real-world” protection capabilities with default settings. The goal is to find out whether the security software protects the computer by either hindering the malware from changing any systems or remediating all changes if any were made. +### Real-World Protection Test July (Consumer): [Protection Rate 100%](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest** -The **Malware Protection Test Enterprise** as defined by AV-Comparatives attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. It is only tested every six months. +The results are based on testing against 186 malicious URLs that have working exploits or point directly to malware. -The below scores are the results of AV-Comparatives tests on **Windows Defender Antivirus**. The scores represent the percentage of blocked malware. +### Real-World Protection Test March - June (Enterprise): [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/) -|Month (2018)| Real-World test score| Malware test score (every 6 months)| -|---|---|---| -|February| 100.00%| N/A| -|March| 94.40%| 99.90%| -|April| 96.40%| N/A| -|May| 100.00%| N/A| -|June| 99.50%| N/A| -|July| 100.00%| N/A| +This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. -* [Real-World Protection Test (Enterprise) February - June 2018](https://www.av-comparatives.org/tests/real-world-protection-test-february-june-2018/) +### Malware Protection Test March 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) -* [Malware Protection Test Enterprise March 2018](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) +This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. -* [Real-World Protection Test (Enterprise) July 2018](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest** +[Historical AV-Comparatives Microsoft tests](https://www.av-comparatives.org/vendors/microsoft/) ## To what extent are tests representative of protection in the real world? -It is important to remember that Microsoft sees a wider and broader set of threats beyond just what’s tested in the AV evaluations highlighted above. The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into AV tests. Using these tests, customer can view one aspect of their security suite but can't assess the complete protection of all the security features. +It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the antivirus evaluations highlighted above. Windows Defender AV encounters ~200 million samples every month, and the typical antivirus test consists of between 100-5,000 samples. The vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. -There are other technologies in nearly every endpoint security suite not represented in AV tests that address some of the latest and most sophisticated threats. For example, the capabilities such as attack surface reduction and endpoint detection & response help prevent malware from getting onto devices in the first place. +The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests. These technologies address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that Windows Defender ATP components [catch samples that Windows Defender AV missed](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) in these industry tests, which is more representative of how effectively our security suite protects customers in the real world. -Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). +Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). ![ATP](./images/wdatp-pillars2.png) diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index e786911e28..18ed7cdaff 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library ms.date: 04/19/2017 +ms.localizationpriority: medium --- diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 6c5e5a372b..6095365e62 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -10,6 +10,7 @@ ms.pagetype: security, devices author: arnaudjumelet ms.date: 10/13/2017 +ms.localizationpriority: medium --- # Control the health of Windows 10-based devices diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md index 57d0ce525d..c8c5edd48a 100644 --- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md +++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index adc562d497..00f750f49c 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 7da0245da9..c86030f41b 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index 16a6c63d06..b85e285e97 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 73c16a319d..1023c1e03f 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md index 28bda81eec..6108d6b607 100644 --- a/windows/security/threat-protection/security-policy-settings/account-policies.md +++ b/windows/security/threat-protection/security-policy-settings/account-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md index 9328293eb5..69c08ad276 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/01/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index 8a75825556..8a72fe5f92 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/10/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md index 6025b06bc7..7f99611e70 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index a46b765862..be82562767 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md index a37109ddc4..ddb53a6141 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md index e4c76cf159..a40ed288a9 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md index 9703104c06..13a891b6a7 100644 --- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md +++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md index a784ec1b27..723fd057b5 100644 --- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md +++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md index 19363b3e59..b84c11a4b2 100644 --- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md +++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index 0343105c0d..ef91abb02b 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md index bb487621e3..6b377b9dfa 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index f03676f04f..f2aff6558e 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index edf83067c0..63c0113000 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 88fb383f82..32b6e39da1 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md index 1bf9663ec0..321a577f5e 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md index 9dedcad594..e0330e6edf 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-policy.md +++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index fd3dfb48ce..5b63d093b8 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md index e35bdba108..5c444a35f5 100644 --- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md index 27869c656f..142040f18f 100644 --- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md +++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md index 6d8bbb9216..4536e9d634 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md index 3ea2370308..c9d0ba95b7 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index 6970d1da6a..f1bfda3737 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md index d8fb3590da..f19009955d 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index b8a4c7c248..f89ff1f37f 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md index e934ed4cd0..4cff161fe5 100644 --- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index 25890fd436..73ae7b6fc0 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index f59c6c8bcd..f8daf37229 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 1fb8892b80..e88c9397bb 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft - ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md index 2859c4bbe7..5bd7b3951b 100644 --- a/windows/security/threat-protection/security-policy-settings/debug-programs.md +++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index 7f442354a9..659f95a2b8 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index de37314441..8d227032ee 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index ed2f25dd74..156963e0e5 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md index 66f3796a26..8db35c7d85 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md index b04d06b392..092ab076ff 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index 9ec5cd6013..88275821af 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md index 0fb15e5558..4994799f27 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 2f97023f61..e41c0c5067 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index 23b2d882a6..b15160364d 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index c3738380c8..2a3bb79a6f 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md index 7d02b9d124..66bdcc3368 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index 2528f5af05..f138f45684 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md index 6dd76544ba..f6e9ee94a1 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index 8a661f02cc..4f45c4dc2d 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index c1502c4e4a..70d087e8d7 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md index e9fb1c3dc5..4ca8bd53b8 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index c6a7699292..e54ec081e3 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index c9cb9862fb..78d2942171 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 05/31/2018 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md index 16f9f08ed7..a07c07bfbc 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index 42a984338a..8f0fbcb870 100644 --- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md index de7e1af7ba..085a3a3c54 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md index e01fcbf962..5b79cc17d6 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md index 29afe2f595..07d249dcd0 100644 --- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md +++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md index 6f88087bae..b74521a317 100644 --- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md index 17b8bfcec6..7653e023d7 100644 --- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md index 31ab10b629..e07c18c86d 100644 --- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md index 34706bd79f..7ce527ad66 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md +++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 871e2e7d7f..1ae321bd87 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 07/13/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index 5e261b7a79..897e2f2549 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md index 30ac4426eb..e3afc8ee01 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md @@ -5,6 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index a0e2d4207d..e39fec421b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md index cf495671ea..dd30bc56ba 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md index b2dfa5f7dc..babebadd11 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index f3cadccfc5..eec6a03a0a 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 3134a03c07..fb7ddb1250 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index 1e37715589..e98f13cc83 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 6b8b3f2fad..d8dab27bda 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index b32948c986..da69589771 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 19bfe5c981..b7dd20ed15 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md index eafc069b2f..42081cd402 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index 3540a9f09f..636bd2ec6f 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md index 3d1366b626..ac070c7702 100644 --- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md +++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md index fdc92d8744..75fb5939bd 100644 --- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md index b95d2d4210..4e94af24de 100644 --- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md +++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index 6669963069..1636ce5414 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md index 602b204581..57568063b4 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md index 8a2d799d66..b49be1c41c 100644 --- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md +++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md index 087dc4ed6c..84ae8e5274 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md index 09d483458c..f1397bc889 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md index 218c85c6c7..412af6ec04 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md index 7057705ad8..0cd52584a2 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md index b8541be161..cf13ab2714 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md index 779be1af43..14202023a8 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha ms.date: 06/28/2018 --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index 55e4e0410e..7427a0898e 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index bed0312e47..72ceae633e 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 082fce0199..ac82806b49 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md index 740aad436d..cd24f66c87 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 06/21/2018 --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index 2efe7661e7..f966580dff 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md index febb391d27..e5b6a658ce 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 5aa52eaa25..6028668431 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index 91b22ce8ae..9a65820d67 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md index 9bc859d8ef..da8d2ab5cf 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md +++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md index 1ea9cb284b..f4abcd62e5 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md +++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md index b684158c99..f18bfcb85a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index b56cb79eab..ed0c582609 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 8a24119ceb..dba5ef3e9d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft - ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 7c017c5b0c..6ca86aeb84 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 0b5d5d3df4..d767ea7088 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md index 4db7cdc5d5..d99e3aded9 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md index cfec2fafb7..eafe932536 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md index 0297e485f5..0207f7e66b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index 9a858f2da5..fce80319bb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index b672362f53..6b9f166e9f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -6,6 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +ms.localizationpriority: medium author: justinha ms.date: 07/27/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md index b5e5008271..aa5c1ab5dd 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md index 3674843d0e..a6a303f5bf 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md index e2e72db46d..e5215a392c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md +++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 51b259cf4e..27d191495c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md index da0ccc7bb9..21de9aeec4 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 77d4038a3d..be635dcfef 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index cfc28a2dfc..3874bf7655 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index a33fcc6cfe..42f411a872 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md index 572d2ac031..3b064f6908 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index f4ae3d7ec6..1b73389dbb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- @@ -55,10 +56,14 @@ authentication level that servers accept. The following table identifies the pol - Best practices are dependent on your specific security and authentication requirements. -### Location +### Policy Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +### Registry Location + +HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel + ### Default values The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md index f22f62b0b2..428b113fe1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index fd7b375759..94cd2f2a3b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 07/27/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index a1a72b97d9..2b4aa59ac0 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index 943d99b774..b3724d05f6 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 2a7f3ce456..e3a706d5e9 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index de492a6900..9007808fc8 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 08335febc9..588e68efbb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 841ed44541..1fdac0f27c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index cbef99d80f..6751800e93 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 59346ccb54..c5a14b24b3 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index bb0ef8c128..bfdf5f299a 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/08/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index c4974cf71c..49e90f010b 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md index c382fb66e7..2eee65e68b 100644 --- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md index 5fbb3b3076..90776ad589 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md +++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index fa2a4609bc..9b538889f1 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md index 1f8dabdc28..ad5a2f6f14 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 55fea42ddb..a513560166 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md index c25cf8e2ba..43278adbbf 100644 --- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md +++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md index f002ef3118..afebd10193 100644 --- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md +++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 13163b2d93..e735885b8d 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md index 856437c766..3b09600257 100644 --- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md index 09c52294bb..ef50b18745 100644 --- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index b4d90dc74c..8a6cd11350 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha ms.date: 06/28/2018 --- diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md index 36c19f08f0..051808cb85 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 4f24fe003a..6711b70593 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md index 3c7cbedb11..ef46b8301e 100644 --- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md +++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index ef32c15b9a..b74494656b 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md index 8458d32a52..12b6755312 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/01/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index c8cb5783ba..988d211159 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 06/19/2018 --- diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 707cdf82c8..16cffebd8d 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft - ms.date: 06/19/2018 --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index cff5d35423..8e2cdd2740 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 06/19/201 --- diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 637fa2d2a5..654a737d1a 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 06/19/2018 --- diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index 6b0bae4976..d7c75a3d4f 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md index 740d9d0593..16c68a6929 100644 --- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md +++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index 7e9d1f3acd..0398bbbc89 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index 18de1ae022..bba7a2624e 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/29/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 6f5095b542..7e0ca59069 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md index e1466cb95c..c5de4856e1 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md index c82b0dffa3..c81039c024 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index 7bc764769a..63c46fc928 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md index 50ee559766..ffa2941137 100644 --- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md +++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 827068144d..fa31fb16e4 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/08/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index ce00295661..64449e0bec 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 41a9379d1f..27cfc0dcfb 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -6,6 +6,7 @@ ms.prod: ws10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/08/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 866d8ae86d..b8620f41a5 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md index ab6b837747..de3df48df1 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 6d75c0225d..54ad96d58f 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index a56e37647a..80a4e5f969 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index 1a79e80070..0e931e969d 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index 2b87555ed9..40cce0498e 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index 7fba0a0991..d6ba8a9479 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 249e7ff426..931d388344 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 5bc2e80133..61a5bb0ce0 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: security author: tedhardyMSFT ms.date: 02/16/2018 +ms.localizationpriority: medium --- # Use Windows Event Forwarding to help with intrusion detection diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index d0e001795a..2e776ea30d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -1,6 +1,6 @@ --- -title: Collect diagnostic data for Update Compliance and Windows Defender AV -description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender AV Assessment add in +title: Collect diagnostic data for Update Compliance and Windows Defender Windows Defender Antivirus +description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender Antivirus Assessment add in keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,23 +11,18 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/12/2017 +ms.date: 09/03/2018 --- # Collect Update Compliance diagnostic data for Windows Defender AV Assessment **Applies to:** -- Windows 10 - -**Audience** - -- IT administrators +- Windows Defender Advanced Threat Protection (Windows Defender ATP) This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. -Before attempting this process, ensure you have read the [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md) topic, met all require pre-requisites, and taken any other suggested troubleshooting steps. - +Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require pre-requisites, and taken any other suggested troubleshooting steps. 1. On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process: @@ -57,21 +52,17 @@ Before attempting this process, ensure you have read the [Troubleshoot Windows D 3. Send an email using the Update Compliance support email template, and fill out the template with the following information: - ``` - I am encountering the following issue when using Windows Defender AV in Update Compliance: + I am encountering the following issue when using Windows Defender Antivirus in Update Compliance: I have provided at least 2 support .cab files at the following location: - My OMS workspace ID is: + My OMS workspace ID is: - Please contact me at: + Please contact me at: ``` - - - ## Related topics -- [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md) +- [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 16ef07c3fd..5544020384 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Use the command line to manage Windows Defender AV -description: Windows Defender AV has a dedicated command-line utility that can run scans and configure protection. +title: Use the command line to manage Windows Defender Antivirus +description: Run Windows Defender Antivirus scans and configure next gen protection with a dedicated command-line utility. keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,31 +11,24 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 09/03/2018 --- - -# Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus +# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +You can perform various Windows Defender Antivirus functions with the dedicated command-line tool mpcmdrun.exe. -- Enterprise security administrators +This utility can be useful when you want to automate Windows Defender Antivirus use. - -You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus. - -This utility can be useful when you want to automate the use of Windows Defender Antivirus. - -The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt. +You can find the utility in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_. You must run it from a command prompt. > [!NOTE] > You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. - The utility has the following commands: ```DOS @@ -55,12 +48,7 @@ Command | Description \-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md) \-SignatureUpdate [-UNC [-Path ]] | Checks for new definition updates - - - ## Related topics - [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - - diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index 09fefe72e5..c11220d5fc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Manage Windows Defender AV in your business +title: Manage Windows Defender in your business description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line to manage Windows Defender AV keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection search.product: eADQiWindows 10XVcnh @@ -11,36 +11,32 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/01/2018 +ms.date: 09/03/2018 --- -# Manage Windows Defender AV in your business +# Manage Windows Defender Antivirus in your business **Applies to:** -- Windows 10 - -**Audience** - -- Enterprise security administrators +- Windows Defender Advanced Threat Protection (Windows Defender ATP) You can manage and configure Windows Defender Antivirus with the following tools: +- Microsoft Intune +- System Center Configuration Manager - Group Policy -- System Center Configuration Manager and Microsoft Intune - PowerShell cmdlets - Windows Management Instruction (WMI) - The mpcmdrun.exe utility -The topics in this section provide further information, links, and resources for using these tools in conjunction with Windows Defender AV. +The topics in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus. ## In this section -Topic | Description +Topic | Description ---|--- -[Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in the Windows 10, version 1703 ADMX templates -[Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)|Information on using System Center Configuration Manager and Microsoft Intune to deploy, manage, report, and configure Windows Defender AV -[Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions on using PowerShell cmdlets in the Defender Module and links to documentation for all cmdlets and allowed parameters -[Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)| Instructions on using WMI to manage Windows Defender AV and links to documentation for the Windows Defender WMIv2 APIs (including all classes, methods, and properties) -[Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender AV - +[Manage Windows Defender Antivirus with Microsoft Intune and System Center Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and System Center Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus +[Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates +[Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Windows Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters +[Manage Windows Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-windows-defender-antivirus.md)| Instructions for using WMI to manage Windows Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) +[Manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender Antivirus diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 77cc805406..673fc41138 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -11,42 +11,37 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- -# Configure scanning options in Windows Defender AV +# Configure Windows Defender Antivirus scanning options +**Applies to:** -**Applies to** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +**Use Microsoft Intune to configure scanning options** -- Enterprise security administrators +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -**Manageability available with** + -- Group Policy -- PowerShell -- Windows Management Instrumentation (WMI) -- System Center Configuration Manager -- Microsoft Intune +**Use Configuration Manager to configure scanning options:** +See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). + +**Use Group Policy to configure scanning options** To configure the Group Policy settings described in the following table: -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. -6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx). +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class ---|---|---|--- @@ -61,24 +56,22 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available -**Use Configuration Manager to configure scanning options:** +**Use PowerShell to configure scanning options** -See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). +See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +**Use WMI to configure scanning options** -**Use Microsoft Intune to configure scanning options** +For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx). -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - - - - ### Email scanning limitations + We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails. -You can use this Group Policy to also enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: +You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: + - DBX - MBX - MIME @@ -86,17 +79,19 @@ You can use this Group Policy to also enable scanning of older email files used PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: -- Email subject -- Attachment name + +- Email subject +- Attachment name >[!WARNING] >There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: -- [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) -- [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) +> +> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) +> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) ## Related topics -- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md) -- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) +- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index d5bdf282dc..728e03873e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -11,27 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/02/2018 +ms.date: 09/03/2018 --- -# Enable the Block at First Sight feature +# Enable block at first sight -**Applies to** +**Applies to:** -- Windows 10, version 1703 and later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Intune -- Group Policy -- Windows Defender Security Center app - - -Block at first sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. +Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds. It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled. @@ -40,128 +29,117 @@ You can [specify how long the file should be prevented from running](configure-c You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. > [!IMPORTANT] -> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature. - +> There is no specific individual setting in System Center Configuration Manager to enable or disable block at first sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. - +>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. ## How it works -When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. +When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. -In Windows 10, version 1803, the Block at First Sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. +In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. -The Block at First Sight feature only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. +Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. -If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. +If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. -In many cases this process can reduce the response time for new malware from hours to seconds. +In many cases, this process can reduce the response time for new malware from hours to seconds. +## Confirm and validate that block at first sight is enabled -## Confirm and validate Block at First Sight is enabled +Block at first sight requires a number of Group Policy settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. -Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks. - -### Confirm Block at First Sight is enabled with Intune +### Confirm block at first sight is enabled with Intune 1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. - > [!NOTE] - > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. +> [!NOTE] +> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. 2. Verify these settings are configured as follows: - - **Cloud-delivered protection**: **Enable** - - **File Blocking Level**: **High** - - **Time extension for file scanning by the cloud**: **50** - - **Prompt users before sample submission**: **Send all data without prompting** + - **Cloud-delivered protection**: **Enable** + - **File Blocking Level**: **High** + - **Time extension for file scanning by the cloud**: **50** + - **Prompt users before sample submission**: **Send all data without prompting** -For more information about configuring Windows Defender AV device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). -For a list of Windows Defender AV device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus). +For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus). +### Confirm block at first sight is enabled with Group Policy -### Confirm Block at First Sight is enabled with Group Policy +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies: -5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies: - - 1. Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**. - - 1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following: - - 1. Send safe samples (1) - - 1. Send all samples (3) + 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. + + 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: + + - Send safe samples (1) + - Send all samples (3) > [!WARNING] - > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. + > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means block at first sight will not function. - 1. Click **OK**. + 3. Click **OK**. -1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**: - - 1. Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**. - - 1. Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**. +4. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**: + + 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**. Click **OK**. + + 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**. Click **OK**. If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. +### Confirm block at first sight is enabled with the Windows Defender Security Center app -### Confirm Block at First Sight is enabled with the Windows Defender Security Center app +You can confirm that block at first sight is enabled in Windows Settings. -You can confirm that Block at First Sight is enabled in Windows Settings. - -The feature is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. +Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. **Confirm Block at First Sight is enabled on individual clients** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Virus & threat protection settings**: ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) - -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. > [!NOTE] > If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. +### Validate block at first sight is working -### Validate Block at First Sight is working +You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate). -You can validate that the feature is working by following the steps outlined in the [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate) topic. - - -## Disable Block at First Sight +## Disable block at first sight > [!WARNING] -> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network. +> Disabling block at first sight will lower the protection state of the endpoint and your network. -You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. +You may choose to disable block at first sight if you want to retain the pre-requisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. -**Disable Block at First Sight with Group Policy** +**Disable block at first sight with Group Policy** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**. +3. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**. -1. Double-click the **Configure the 'Block at First Sight' feature** setting and set the option to **Disabled**. +4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. > [!NOTE] - > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies. - + > Disabling block at first sight will not disable or alter the pre-requisite group policies. ## Related topics -- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) - - diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index 247e68bc23..c4712bd823 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -11,64 +11,40 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Configure the cloud block timeout period - - **Applies to:** -- Windows 10, version 1703 and later - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy - - - - - - -When Windows Defender Antivirus is suspicious of a file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud-protection service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). - -The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) for is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud. +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). +The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud service. ## Prerequisites to use the extended cloud block timeout -The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specify an extended timeout period. - +[Block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period. + ## Specify the extended timeout period You can use Group Policy to specify an extended timeout for cloud checks. -**Use Group Policy to specify an extended timeout period:** +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine** -4. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine** - -5. Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds. - -6. Click **OK**. +4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds. +5. Click **OK**. ## Related topics -- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Use next-gen antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) - - - - diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md index 8ff899a974..a4e4d1798a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md @@ -11,31 +11,23 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 09/03/2018 --- # Configure end-user interaction with Windows Defender Antivirus **Applies to:** -- Windows 10 - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows Defender Advanced Threat Protection (Windows Defender ATP) You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus. -This includes whether they see the Windows Defender AV interface, what notifications they see, and if they can locally override globally deployed Group Policy settings. +This includes whether they see the Windows Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings. ## In this section Topic | Description ---|--- -[Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation -[Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users +[Configure notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation +[Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index ce689900bf..05da87967e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -11,47 +11,30 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/27/2017 +ms.date: 09/03/2018 --- -# Configure and validate exclusions for Windows Defender AV scans (client) - +# Configure and validate exclusions for Windows Defender Antivirus scans **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Group Policy -- PowerShell -- Windows Management Instrumentation (WMI) -- System Center Configuration Manager -- Microsoft Intune -- Windows Defender Security Center - -You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus. +You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. -Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions. +Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions. >[!WARNING] ->Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. +>Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. ## In this section Topic | Description ---|--- -[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location -[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process -[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions - +[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location +[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | Exclude files from scans that have been opened by a specific process +[Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined server role. You can also add custom exclusions. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 9381eb05f6..4c95157a94 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure and validate exclusions based on extension, name, or location -description: Exclude files from Windows Defender AV scans based on their file extension, file name, or location. +description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,34 +11,18 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- # Configure and validate exclusions based on file extension and folder location - **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. -- Enterprise security administrators - - -**Manageability available with** - -- Group Policy -- PowerShell -- Windows Management Instrumentation (WMI) -- System Center Configuration Manager -- Microsoft Intune -- Windows Defender Security Center - -You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists. - -Generally, you shouldn't need to apply exclusions. Windows Defender AV includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. >[!TIP] >The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. @@ -53,6 +37,7 @@ A specific file in a specific folder | The file c:\sample\sample.test only | Fil A specific process | The executable file c:\test\process.exe | File and folder exclusions This means the exclusion lists have the following characteristics: + - Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. - File extensions will apply to any file name with the defined extension if a path or folder is not defined. @@ -61,70 +46,64 @@ This means the exclusion lists have the following characteristics: > >You cannot exclude mapped network drives. You must specify the actual network path. > ->Folders that are reparse points that are created after the Windows Defender AV service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. - - - - -To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic. +>Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. +To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). >[!IMPORTANT] ->Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). > >Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. - - -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. +By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. - - - - - ## Configure the list of exclusions based on folder name or file extension - +**Use Intune to configure file name, folder, or file extension exclusions:** + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. + +**Use Configuration Manager to configure file name, folder, or file extension exclusions:** + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). + **Use Group Policy to configure folder or file extension exclusions:** >[!NOTE] ->If you specify a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. +>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - -6. Double-click the **Path Exclusions** setting and add the exclusions: +4. Double-click the **Path Exclusions** setting and add the exclusions: 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...** + 2. Under the **Options** section, click **Show...**. 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. -7. Click **OK**. +5. Click **OK**. -![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) + ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) -8. Double-click the **Extension Exclusions** setting and add the exclusions: +6. Double-click the **Extension Exclusions** setting and add the exclusions: - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...** + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...**. 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. +7. Click **OK**. -9. Click **OK**. - -![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) - + ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) + **Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:** Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). @@ -139,9 +118,9 @@ The following are allowed as the \: Configuration action | PowerShell cmdlet ---|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove item from the list | `Remove-MpPreference` +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove item from the list | `Remove-MpPreference` The following are allowed as the \: @@ -150,10 +129,8 @@ Exclusion type | PowerShell parameter All files with a specified file extension | `-ExclusionExtension` All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` - >[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. - +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension: @@ -163,7 +140,6 @@ Add-MpPreference -ExclusionExtension ".test" See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - **Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:** Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -176,25 +152,15 @@ ExclusionPath The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. See the following for more information and allowed parameters: + - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) -**Use Configuration Manager to configure file name, folder, or file extension exclusions:** - -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). - - -**Use Microsoft Intune to configure file name, folder, or file extension exclusions:** - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - **Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. - - ## Use wildcards in the file name and folder path or extension exclusion lists @@ -205,8 +171,7 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such > >- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. >- You cannot use a wildcard in place of a drive letter. ->- The use of asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. - +>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. @@ -231,7 +196,7 @@ The following table describes how the wildcards can be used and provides some ex -
  1. C:\MyData\\notes.txt
    2. -
  2. Any file in: +
  3. Any file in:
    • C:\somepath\\Archives\Data and its subfolders
    • C:\somepath\\Authorized\Data and its subfolders
      • @@ -246,7 +211,7 @@ The following table describes how the wildcards can be used and provides some ex
- ? (question mark) + ? (question mark) Replaces a single character.
@@ -295,23 +260,23 @@ The following table describes how the wildcards can be used and provides some ex > >This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*. - + ## Review the list of exclusions -You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). >[!IMPORTANT] ->Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). > >Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender AV preferences:** +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** Use the following cmdlet: @@ -320,13 +285,11 @@ Get-MpPreference ``` In the following example, the items contained in the `ExclusionExtension` list are highlighted: - ![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - **Retrieve a specific exclusions list:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: @@ -341,14 +304,10 @@ In the following example, the list is split into new lines for each use of the ` ![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) - See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - - - - + ## Validate exclusions lists with the EICAR test file You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. @@ -359,11 +318,11 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" ``` -If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html). +If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html). You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: -```PowerShell +```PowerShell $client = new-object System.Net.WebClient $client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") ``` @@ -376,12 +335,10 @@ If you do not have Internet access, you can create your own EICAR test file by w You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. - - ## Related topics -- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index 55f4c3f930..013ef4ec60 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -11,29 +11,20 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- -# Prevent or allow users to locally modify Windows Defender AV policy settings +# Prevent or allow users to locally modify Windows Defender Antivirus policy settings **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy - - -By default, Windows Defender AV settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. +By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use. -## Configure local overrides for Windows Defender AV settings +## Configure local overrides for Windows Defender Antivirus settings The default setting for these policies is **Disabled**. @@ -43,25 +34,25 @@ The following table lists each of the override policy setting and the configurat To configure these settings: -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. -6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. -7. Deploy the Group Policy Object as usual. +5. Deploy the Group Policy Object as usual. Location | Setting | Configuration topic ---|---|---|--- MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md) Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) @@ -69,35 +60,30 @@ Scan | Configure local setting override for scheduled quick scan time | [Configu Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) - - - - + ## Configure how locally and globally defined threat remediation and exclusions lists are merged You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md). -By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence. - -You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used. +By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. +You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used. **Use Group Policy to disable local list merging:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus**. +3. Expand the tree to **Windows components > Windows Defender Antivirus**. -6. Double-click the **Configure local administrator merge behavior for lists** setting and set the option to **Enabled**. Click **OK**. +4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Enabled**. Click **OK**. > [!NOTE] -> If you disable local list merging, it will override Controlled folder access settings in Windows Defender Exploit Guard. It also overrides any protected folders or allowed apps set by the local administrator. For more information about Controlled folder access settings, see [Enable Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). - +> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) \ No newline at end of file +- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index b4751e5cad..69728c47d8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Configure and test Windows Defender Antivirus network connections -description: Configure and test your connection to the Windows Defender Antivirus cloud-delivered protection service. -keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +title: Configure and validate Windows Defender Antivirus network connections +description: Configure and test your connection to the Windows Defender Antivirus cloud protection service. +keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,20 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- -# Configure and validate network connections for Windows Defender Antivirus - +# Configure and validate Windows Defender Antivirus network connections **Applies to:** -- Windows 10 (some instructions are only applicable for Windows 10, version 1703 or later) - -**Audience** - -- Enterprise security administrators - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. @@ -33,19 +27,20 @@ This topic lists the connections that must be allowed, such as by using firewall See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +> >- Cloud-delivered protection ->- Fast learning (including Block at first sight) +>- Fast learning (including block at first sight) >- Potentially unwanted application blocking -## Allow connections to the Windows Defender Antivirus cloud +## Allow connections to the Windows Defender Antivirus cloud service -The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network. +The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network. ->[!NOTE] +>[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. -See the [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) topic for details on enabling the service with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app. +See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app. After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. @@ -133,44 +128,43 @@ https://msdl.microsoft.com/download/symbols Universal Telemetry Client 		-Used by Windows to send client diagnostic data, Windows Defender Antivirus uses this for product quality monitoring purposes +Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
  • vortex-win.data.microsoft.com
  • settings-win.data.microsoft.com
- ## Validate connections between your network and the cloud -After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender AV cloud and are correctly reporting and receiving information to ensure you are fully protected. +After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. **Use the cmdline tool to validate cloud-delivered protection:** -Use the following argument with the Windows Defender AV command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender AV cloud: +Use the following argument with the Windows Defender Antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service: ```DOS -MpCmdRun -ValidateMapsConnection +MpCmdRun -ValidateMapsConnection ``` -> [!NOTE] -> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703. -See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility. +> [!NOTE] +> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. + +See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility. **Attempt to download a fake malware file from Microsoft:** -You can download a sample file that Windows Defender AV will detect and block if you are properly connected to the cloud. +You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. Download the file by visiting the following link: - http://aka.ms/ioavtest ->[!NOTE] +>[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. -If you are properly connected, you will see a warning notification from Windows Defender Antivirus: +If you are properly connected, you will see a warning Windows Defender Antivirus notification: ![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png) @@ -189,23 +183,22 @@ You will also see a detection under **Quarantined threats** in the **Scan histor 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: ![Screenshot of the Scan history label in the Windows Defender Security Center app](images/defender/wdav-history-wdsc.png) - + 3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: ![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png) >[!NOTE] ->Versions of Windows 10 before version 1703 have a different user interface. See the [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) topic for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces. +>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces. The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). >[!IMPORTANT] ->You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. - +>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) -- [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) +- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) - [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 060372f38b..6985bdef52 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Configure notifications for Windows Defender Antivirus -description: Configure and customize notifications from Windows Defender AV. -keywords: notifications, defender, endpoint, management, admin +title: Configure Windows Defender Antivirus notifications +description: Configure and customize Windows Defender Antivirus notifications. +keywords: notifications, defender, antivirus, endpoint, management, admin search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,27 +11,18 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Configure the notifications that appear on endpoints **Applies to:** -- Windows 10, version 1703 and later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. -- Enterprise security administrators - -**Manageability available with** - -- Group Policy -- Windows Defender Security Center app - -In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise. - -Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals. +Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals. You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated. @@ -40,78 +31,73 @@ You can also configure how standard notifications appear on endpoints, such as n You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy. > [!NOTE] -> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10 it is called **Enhanced notifications**. +> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. > [!IMPORTANT] > Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts. -**Use the Windows Defender Security Center app to disable additional notifications:** +**Use the Windows Defender Security Center app to disable additional notifications:** 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: -![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png) - -3. Scroll to the **Notifications** section and click **Change notification settings**. + ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png) + +3. Scroll to the **Notifications** section and click **Change notification settings**. 4. Slide the switch to **Off** or **On** to disable or enable additional notifications. **Use Group Policy to disable additional notifications:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Administrative templates**. +3. Click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. - -6. Double-click the **Turn off enhanced notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. +4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. +5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. ## Configure standard notifications on endpoints You can use Group Policy to: + - Display additional, customized text on endpoints when the user needs to perform an action - Hide all notifications on endpoints - Hide reboot notifications on endpoints -Hiding notifications can be useful in situations where you cannot hide the entire Windows Defender AV interface. See [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. +Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. > [!NOTE] > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). -See the [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) topic for instructions to add custom contact information to the notifications that users see on their machines. +See [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. **Use Group Policy to hide notifications:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. -6. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. +4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. **Use Group Policy to hide reboot notifications:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. - -6. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. - +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. +3. Click **Administrative templates**. +4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) +- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 43501a9510..57a4d03e85 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- title: Configure exclusions for files opened by specific processes description: You can exclude files from scans if they have been opened by a specific process. -keywords: process, exclusion, files, scans +keywords: Windows Defender Antivirus, process, exclusion, files, scans search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,83 +11,73 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- # Configure exclusions for files opened by processes **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Group Policy -- PowerShell -- Windows Management Instrumentation (WMI) -- System Center Configuration Manager -- Microsoft Intune -- Windows Defender Security Center - -You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV. +You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. This topic describes how to configure exclusion lists for the following: -Exclusion | Example +Exclusion | Example ---|--- Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
  • c:\sample\test.exe
  • d:\internal\files\test.exe
Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
  • c:\test\sample\test.exe
  • c:\test\sample\test2.exe
  • c:\test\sample\utility.exe
Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe -When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). +When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). -The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They do not apply to scheduled or on-demand scans. +The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans. -Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. +Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. +You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. - -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. +By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. - ## Configure the list of exclusions for files opened by specified processes - + +**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. + +**Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:** + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). + **Use Group Policy to exclude files that have been opened by specified processes from scans:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. +4. Double-click **Process Exclusions** and add the exclusions: -6. Double-click the **Process Exclusions** setting and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...** + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...**. 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. -7. Click **OK**. +5. Click **OK**. ![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - + **Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:** Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). @@ -102,14 +92,12 @@ The following are allowed as the \: Configuration action | PowerShell cmdlet ---|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` - +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove items from the list | `Remove-MpPreference` >[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. - +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process: @@ -117,9 +105,7 @@ For example, the following code snippet would cause Windows Defender AV scans to Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - +See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:** @@ -132,26 +118,17 @@ ExclusionProcess The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. See the following for more information and allowed parameters: + - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) -**Use Configuration Manager to exclude files that have been opened by specified processes from scans:** - -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). - - -**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - **Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:** See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. - - + ## Use wildcards in the process exclusion list The use of wildcards in the process exclusion list is different from their use in other exclusion lists. @@ -166,20 +143,18 @@ Wildcard | Use | Example use | Example matches ? (question mark) | Not available | \- | \- Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
- - - + ## Review the list of exclusions You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender AV preferences:** +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** Use the following cmdlet: @@ -187,10 +162,8 @@ Use the following cmdlet: Get-MpPreference ``` - See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - **Retrieve a specific exclusions list:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: @@ -200,18 +173,12 @@ $WDAVprefs = Get-MpPreference $WDAVprefs.ExclusionProcess ``` - - See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - - - - ## Related topics -- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md index 8eaf0cfc8f..61d9ada7c2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Enable and configure protection features in Windows Defender AV +title: Enable and configure Windows Defender Antivirus protection features description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV. keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender search.product: eADQiWindows 10XVcnh @@ -11,18 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 09/03/2018 --- # Configure behavioral, heuristic, and real-time protection **Applies to:** -- Windows 10 - -**Audience** - -- Enterprise security administrators +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Windows Defender Antivirus uses several methods to provide threat protection: @@ -30,16 +26,15 @@ Windows Defender Antivirus uses several methods to provide threat protection: - Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection") - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research -You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI). +You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI). -This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware. - -See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection. +This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware. +See [Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for how to enable and configure Windows Defender Antivirus cloud-delivered protection. ## In this section - Topic | Description + Topic | Description ---|--- [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps -[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features \ No newline at end of file +[Enable and configure Windows Defender Antivirus protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Windows Defender Antivirus monitoring features \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index d97f720028..d5a83c1e36 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Configure always-on real-time protection in Windows Defender AV -description: Enable and configure real-time protection features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV -keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics +title: Configure always-on real-time Windows Defender Antivirus protection +description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning +keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,69 +11,45 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- - - -# Enable and configure Windows Defender AV always-on protection and monitoring - - +# Enable and configure antivirius always-on protection and monitoring **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Group Policy - - - - -Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. +Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure. - ## Configure and enable always-on protection You can configure how always-on protection works with the Group Policy settings described in this section. To configure these settings: -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. - -6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK** and repeat for any other settings. Location | Setting | Description | Default setting (if not configured) ---|---|---|--- -Real-time protection | Monitor file and program activity on your computer | The AV engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled -Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled -Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled +Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled +Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled +Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled -Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled -Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) -Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled -Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled -Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled - - - +Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled +Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) +Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity | Enabled +Root | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled +Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled ## Disable real-time protection > [!WARNING] @@ -83,15 +59,13 @@ The main real-time protection capability is enabled by default, but you can disa **Use Group Policy to disable real-time protection:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**. - -6. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**. +4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index c409e9402c..87ab0e1b1a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Remediate and resolve infections detected by Windows Defender AV -description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +title: Remediate and resolve infections detected by Windows Defender Antivirus +description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder keywords: remediation, fix, remove, threats, quarantine, scan, restore search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,29 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- +# Configure remediation for Windows Defender Antivirus scans +**Applies to:** -# Configure remediation for Windows Defender AV scans +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Applies to** -- Windows 10 - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy -- System Center Configuration Manager -- PowerShell -- Windows Management Instrumentation (WMI) -- Microsoft Intune - -When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. +When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). @@ -45,40 +32,38 @@ You can configure how remediation works with the Group Policy settings described To configure these settings: -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. - -6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days -Root | Turn off routine remediation | You can specify whether Windows Defender AV automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) +Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed -Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable +Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable >[!IMPORTANT] ->Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. +>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. >

->If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md). +>If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md). >

->To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md). +>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md). - -Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings. +Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings. ## Related topics -- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) +- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) - [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index 1b9179c6b3..968c4850cb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Automatic and customized exclusions for Windows Defender AV on Windows Server 2016 -description: Windows Server 2016 includes automatic exclusions, based on Server Role. You can also add custom exclusions. -keywords: exclusions, server, auto-exclusions, automatic, custom, scans +title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 +description: Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions. +keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,46 +11,34 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 09/03/2018 --- -# Configure exclusions in Windows Defender AV on Windows Server - +# Configure Windows Defender Antivirus exclusions on Windows Server **Applies to:** -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Group Policy -- PowerShell -- Windows Management Instrumentation (WMI) - -If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions). +Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions. These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). -You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics: +You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics: + - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -Custom exclusions take precedence over the automatic exclusions. +Custom exclusions take precedence over automatic exclusions. > [!TIP] > Custom and duplicate exclusions do not conflict with automatic exclusions. -Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer. - +Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions -In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates. +In Windows Server 2016, the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in definition updates. > [!WARNING] > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles. @@ -58,17 +46,17 @@ In Windows Server 2016 the predefined exclusions delivered by definition updates > [!NOTE] > This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions. -You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI. +You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. **Use Group Policy to disable the auto-exclusions list on Windows Server 2016:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. -6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**. +4. Double-click **Turn off Auto Exclusions** and set the option to **Enabled**. Click **OK**. **Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:** @@ -91,311 +79,305 @@ DisableAutoExclusions See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) - ## List of automatic exclusions The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types. ### Default exclusions for all roles This section lists the default exclusions for all Windows Server 2016 roles. -- Windows "temp.edb" files: +- Windows "temp.edb" files: - - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb + - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb - - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log + - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log -- Windows Update files or Automatic Update files: +- Windows Update files or Automatic Update files: - - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb + - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb - - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk + - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk - - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log + - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log - - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs + - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs - - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log + - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log -- Windows Security files: +- Windows Security files: - - *%windir%*\Security\database\\*.chk + - *%windir%*\Security\database\\*.chk - - *%windir%*\Security\database\\*.edb + - *%windir%*\Security\database\\*.edb - - *%windir%*\Security\database\\*.jrs + - *%windir%*\Security\database\\*.jrs - - *%windir%*\Security\database\\*.log + - *%windir%*\Security\database\\*.log - - *%windir%*\Security\database\\*.sdb + - *%windir%*\Security\database\\*.sdb -- Group Policy files: +- Group Policy files: - - *%allusersprofile%*\NTUser.pol + - *%allusersprofile%*\NTUser.pol - - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol + - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol - - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol + - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol -- WINS files: +- WINS files: - - *%systemroot%*\System32\Wins\\*\\\*.chk + - *%systemroot%*\System32\Wins\\*\\\*.chk - - *%systemroot%*\System32\Wins\\*\\\*.log + - *%systemroot%*\System32\Wins\\*\\\*.log - - *%systemroot%*\System32\Wins\\*\\\*.mdb + - *%systemroot%*\System32\Wins\\*\\\*.mdb - - *%systemroot%*\System32\LogFiles\ + - *%systemroot%*\System32\LogFiles\ - - *%systemroot%*\SysWow64\LogFiles\ + - *%systemroot%*\SysWow64\LogFiles\ -- File Replication Service (FRS) exclusions: +- File Replication Service (FRS) exclusions: - - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` + - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` - - *%windir%*\Ntfrs\jet\sys\\*\edb.chk + - *%windir%*\Ntfrs\jet\sys\\*\edb.chk - - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb + - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb - - *%windir%*\Ntfrs\jet\log\\*\\\*.log + - *%windir%*\Ntfrs\jet\log\\*\\\*.log - - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory` + - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory` - - *%windir%*\Ntfrs\\*\Edb\*.log + -*%windir%*\Ntfrs\\*\Edb\*.log - - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` + - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` - - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\ + - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\ - - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` + - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` - - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\ + - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\ - - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` + - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` - - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ + - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ - - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_* + - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_* - - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_* + - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_* - - *%systemdrive%*\System Volume Information\DFSR\\*.XML + - *%systemdrive%*\System Volume Information\DFSR\\*.XML - - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$ + - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$ - - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$ + - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$ - - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$ + - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$ - - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db + - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db - - *%systemdrive%*\System Volume Information\DFSR\\*.frx + - *%systemdrive%*\System Volume Information\DFSR\\*.frx - - *%systemdrive%*\System Volume Information\DFSR\\*.log + - *%systemdrive%*\System Volume Information\DFSR\\*.log - - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs + - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs - - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb + - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb -- Process exclusions +- Process exclusions - - *%systemroot%*\System32\dfsr.exe + - *%systemroot%*\System32\dfsr.exe - - *%systemroot%*\System32\dfsrs.exe + - *%systemroot%*\System32\dfsrs.exe -- Hyper-V exclusions: +- Hyper-V exclusions: - - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role + - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role - - File type exclusions: + - File type exclusions: - - *.vhd + - *.vhd - - *.vhdx + - *.vhdx - - *.avhd + - *.avhd - - *.avhdx + - *.avhdx - - *.vsv + - *.vsv - - *.iso + - *.iso - - *.rct + - *.rct - - *.vmcx + - *.vmcx - - *.vmrs + - *.vmrs - - Folder exclusions: + - Folder exclusions: - - *%ProgramData%*\Microsoft\Windows\Hyper-V + - *%ProgramData%*\Microsoft\Windows\Hyper-V - - *%ProgramFiles%*\Hyper-V + - *%ProgramFiles%*\Hyper-V - - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots + - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots - - *%Public%*\Documents\Hyper-V\Virtual Hard Disks + - *%Public%*\Documents\Hyper-V\Virtual Hard Disks - - Process exclusions: + - Process exclusions: - - *%systemroot%*\System32\Vmms.exe + - *%systemroot%*\System32\Vmms.exe - - *%systemroot%*\System32\Vmwp.exe + - *%systemroot%*\System32\Vmwp.exe -- SYSVOL files: +- SYSVOL files: - - *%systemroot%*\Sysvol\Domain\\*.adm + - *%systemroot%*\Sysvol\Domain\\*.adm - - *%systemroot%*\Sysvol\Domain\\*.admx + - *%systemroot%*\Sysvol\Domain\\*.admx - - *%systemroot%*\Sysvol\Domain\\*.adml + - *%systemroot%*\Sysvol\Domain\\*.adml - - *%systemroot%*\Sysvol\Domain\Registry.pol + - *%systemroot%*\Sysvol\Domain\Registry.pol - - *%systemroot%*\Sysvol\Domain\\*.aas + - *%systemroot%*\Sysvol\Domain\\*.aas - - *%systemroot%*\Sysvol\Domain\\*.inf + - *%systemroot%*\Sysvol\Domain\\*.inf - - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini + - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini - - *%systemroot%*\Sysvol\Domain\\*.ins + - *%systemroot%*\Sysvol\Domain\\*.ins - - *%systemroot%*\Sysvol\Domain\Oscfilter.ini + - *%systemroot%*\Sysvol\Domain\Oscfilter.ini ### Active Directory exclusions This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services. -- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` +- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` - - %windir%\Ntds\ntds.dit + - %windir%\Ntds\ntds.dit - - %windir%\Ntds\ntds.pat + - %windir%\Ntds\ntds.pat -- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files` +- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files` - - %windir%\Ntds\EDB*.log + - %windir%\Ntds\EDB*.log - - %windir%\Ntds\Res*.log + - %windir%\Ntds\Res*.log - - %windir%\Ntds\Edb*.jrs + - %windir%\Ntds\Edb*.jrs - - %windir%\Ntds\Ntds*.pat + - %windir%\Ntds\Ntds*.pat - - %windir%\Ntds\EDB*.log + - %windir%\Ntds\EDB*.log - - %windir%\Ntds\TEMP.edb + - %windir%\Ntds\TEMP.edb -- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` +- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` - - %windir%\Ntds\Temp.edb + - %windir%\Ntds\Temp.edb - - %windir%\Ntds\Edb.chk + - %windir%\Ntds\Edb.chk -- Process exclusions for AD DS and AD DS-related support files: +- Process exclusions for AD DS and AD DS-related support files: - - %systemroot%\System32\ntfrs.exe + - %systemroot%\System32\ntfrs.exe - - %systemroot%\System32\lsass.exe + - %systemroot%\System32\lsass.exe ### DHCP Server exclusions This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` -- *%systemroot%*\System32\DHCP\\*\\\*.mdb +- *%systemroot%*\System32\DHCP\\*\\\*.mdb -- *%systemroot%*\System32\DHCP\\*\\\*.pat +- *%systemroot%*\System32\DHCP\\*\\\*.pat -- *%systemroot%*\System32\DHCP\\*\\\*.log +- *%systemroot%*\System32\DHCP\\*\\\*.log -- *%systemroot%*\System32\DHCP\\*\\\*.chk +- *%systemroot%*\System32\DHCP\\*\\\*.chk -- *%systemroot%*\System32\DHCP\\*\\\*.edb +- *%systemroot%*\System32\DHCP\\*\\\*.edb ### DNS Server exclusions This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role. -- File and folder exclusions for the DNS Server role: +- File and folder exclusions for the DNS Server role: - - *%systemroot%*\System32\Dns\\*\\\*.log + - *%systemroot%*\System32\Dns\\*\\\*.log - - *%systemroot%*\System32\Dns\\*\\\*.dns + - *%systemroot%*\System32\Dns\\*\\\*.dns - - *%systemroot%*\System32\Dns\\*\\\*.scc + - *%systemroot%*\System32\Dns\\*\\\*.scc - - *%systemroot%*\System32\Dns\\*\BOOT + - *%systemroot%*\System32\Dns\\*\BOOT -- Process exclusions for the DNS Server role: +- Process exclusions for the DNS Server role: - - *%systemroot%*\System32\dns.exe - - + - *%systemroot%*\System32\dns.exe ### File and Storage Services exclusions This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. -- *%SystemDrive%*\ClusterStorage +- *%SystemDrive%*\ClusterStorage -- *%clusterserviceaccount%*\Local Settings\Temp +- *%clusterserviceaccount%*\Local Settings\Temp -- *%SystemDrive%*\mscs +- *%SystemDrive%*\mscs ### Print Server exclusions This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role. -- File type exclusions: +- File type exclusions: - - *.shd + - *.shd - - *.spl + - *.spl -- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory` +- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory` - - *%system32%*\spool\printers\\* + - *%system32%*\spool\printers\\* -- Process exclusions: +- Process exclusions: - - spoolsv.exe + - spoolsv.exe ### Web Server exclusions This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role. -- Folder exclusions: +- Folder exclusions: - - *%SystemRoot%*\IIS Temporary Compressed Files + - *%SystemRoot%*\IIS Temporary Compressed Files - - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files + - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files - - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates + - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates - - *%systemDrive%*\inetpub\logs + - *%systemDrive%*\inetpub\logs - - *%systemDrive%*\inetpub\wwwroot + - *%systemDrive%*\inetpub\wwwroot -- Process exclusions: +- Process exclusions: - - *%SystemRoot%*\system32\inetsrv\w3wp.exe + - *%SystemRoot%*\system32\inetsrv\w3wp.exe - - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe + - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe - - *%SystemDrive%*\PHP5433\php-cgi.exe + - *%SystemDrive%*\PHP5433\php-cgi.exe ### Windows Server Update Services exclusions This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` -- *%systemroot%*\WSUS\WSUSContent - -- *%systemroot%*\WSUS\UpdateServicesDBFiles - -- *%systemroot%*\SoftwareDistribution\Datastore - -- *%systemroot%*\SoftwareDistribution\Download +- *%systemroot%*\WSUS\WSUSContent +- *%systemroot%*\WSUS\UpdateServicesDBFiles +- *%systemroot%*\SoftwareDistribution\Datastore +- *%systemroot%*\SoftwareDistribution\Download ## Related topics -- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index ecc4190de1..03b6bf2fc1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -1,7 +1,7 @@ --- -title: Configure Windows Defender Antivirus features (Windows 10) -description: You can configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings. -keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell +title: Configure Windows Defender Antivirus features +description: You can configure Windows Defender Antivirus features with Intune, System Center Configuration Manager, Group Policy, and PowerShell. +keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,28 +11,22 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 09/03/2018 --- # Configure Windows Defender Antivirus features - **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +You can configure Windows Defender Antivirus with a number of tools, including: -- Enterprise security administrators - -Windows Defender Antivirus can be configured with a number of tools, including: - -- Group Policy settings +- Microsoft Intune - System Center Configuration Manager +- Group Policy - PowerShell cmdlets - Windows Management Instrumentation (WMI) -- Microsoft Intune - The following broad categories of features can be configured: @@ -40,17 +34,13 @@ The following broad categories of features can be configured: - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection - How end-users interact with the client on individual endpoints -The topics in this section describe how to perform key tasks when configuring Windows Defender AV. Each topic includes instructions for the applicable configuration tool (or tools). +The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. - ## In this section Topic | Description :---|:--- -[Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV -[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings - - - +[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection +[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection +[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index 5c57af4d4c..4487dc5453 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- title: Run and customize scheduled and on-demand scans -description: Customize and initiate scans using Windows Defender AV on endpoints across your network. -keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan +description: Customize and initiate Windows Defender Antivirus scans on endpoints across your network. +keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Windows Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,32 +11,24 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 09/03/2018 --- -# Customize, initiate, and review the results of Windows Defender AV scans and remediation +# Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation **Applies to:** -- Windows 10 - -**Audience** - -- Enterprise security administrators - - -You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure scans run by Windows Defender Antivirus. - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. ## In this section -Topic | Description +Topic | Description ---|--- -[Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning -[Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning -[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +[Configure and validate file, folder, and process-opened file exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning +[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning +[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app +[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app [Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app - diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index 12275ec64d..4c1673e6f4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Deploy, manage, and report on Windows Defender Antivirus -description: You can deploy and manage Windows Defender Antivirus with Group Policy, Configuration Manager, WMI, PowerShell, or Intune +description: You can deploy and manage Windows Defender Antivirus with Intune, System Center Configuration Manager, Group Policy, PowerShell, or WMI keywords: deploy, manage, update, protection, windows defender antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,40 +11,36 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/19/2018 +ms.date: 09/03/2018 --- # Deploy, manage, and report on Windows Defender Antivirus **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. -- IT administrators +Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. -You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. - -As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. - -However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Security Center, or Group Policy Objects, which is described in the following table. +However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. You'll also see additional links for: + - Managing Windows Defender Antivirus protection, including managing product and protection updates - Reporting on Windows Defender Antivirus protection > [!IMPORTANT] -> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus. - +> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus. Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- -System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management) -Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][] +System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] +PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][] +Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. 1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) @@ -53,8 +49,6 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by 3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) - - [Endpoint Protection point site system role]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-site-role [default and customized antimalware policies]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies [client management]: https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients @@ -79,13 +73,10 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by [Possibly infected devices]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices [Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md - ## In this section -Topic | Description +Topic | Description ---|--- [Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects. [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI. -[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection - - +[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index dbd8572db4..6efcc0eeef 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- title: Deploy and enable Windows Defender Antivirus -description: Deploy Windows Defender AV for protection of your endpoints with Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI. -keywords: deploy, enable, windows defender av +description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. +keywords: deploy, enable, Windows Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,29 +11,22 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Deploy and enable Windows Defender Antivirus - **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. -- Network administrators -- IT administrators +See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). +Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. -Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection. - -See the table in the [Deploy, manage, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md#ref2) topic for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI). - -Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments. - -The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md). +The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index 41343abb5c..b0a425bb2b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -11,31 +11,20 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. -- Enterprise security administrators +Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. -**Manageability available with** - -- System Center Configuration Manager (current branch) -- Group Policy - - - -In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. - -Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. - -We recommend setting the following when deploying Windows Defender AV in a VDI environment: +We recommend setting the following when deploying Windows Defender Antivirus in a VDI environment: Location | Setting | Suggested configuration ---|---|--- @@ -46,17 +35,20 @@ Root | Randomize scheduled task times | Enabled Signature updates | Turn on scan after signature update | Enabled Scan | Turn on catch up quick scan | Enabled -For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section. +For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for System Center Configuration Manager and Group Policy, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section. See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support. For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection) topic. -There are three main steps in this guide to help roll out Windows Defender AV protection across your VDI: +There are three main steps in this guide to help roll out Windows Defender Antivirus protection across your VDI: + +1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image) + +2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image) + +3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including: -1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image) -2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image) -3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including: - [Randomize scheduled scans](#randomize-scheduled-scans) - [Use quick scans](#use-quick-scans) - [Prevent notifications](#prevent-notifications) @@ -66,27 +58,29 @@ There are three main steps in this guide to help roll out Windows Defender AV pr >[!IMPORTANT] > While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows. ->[!NOTE] ->When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information. +>[!NOTE] +>When you manage Windows with System Center Configuration Manager, Windows Defender Antivirus protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information. - - -## Create and deploy the base image +## Create and deploy the base image The main steps in this section include: -1. Create your standard base image according to your requirements -2. Apply Windows Defender AV protection updates to your base image -3. Seal or “lock” the image to create a “known-good” image -4. Deploy your image to your VMs + +1. Create your standard base image according to your requirements +2. Apply Windows Defender AV protection updates to your base image +3. Seal or “lock” the image to create a “known-good” image +4. Deploy your image to your VMs ### Create the base image + First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs. ### Apply protection updates to the base image -After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches. + +After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender Antivirus protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches. ### Seal the base image -When the base image is fully updated, you should run a quick scan on the image. + +When the base image is fully updated, you should run a quick scan on the image. After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here: @@ -94,19 +88,19 @@ After running a scan and buliding the cache, remove the machine GUID that unique Remove the string found in the 'GUID' value -This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted. +This “sealing” or “locking” of the image helps Windows Defender Antivirus build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted. You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md). ->[!NOTE] +>[!NOTE] >Quick scan versus full scan >Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder – quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. ->Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment – it makes sense to use a quick scan only. +>Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment – it makes sense to use a quick scan only. >A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up. +### Deploy the base image -### Deploy the base image -You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs. +You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs. The following references provide ways you can create and deploy the base image across your VDI: @@ -116,58 +110,57 @@ The following references provide ways you can create and deploy the base image a - [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v) - [Build Virtual Desktop templates]( https://technet.microsoft.com/en-us/library/dn645526(v=ws.11).aspx) - - - - ## Manage your VMs and base image + How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure. -Because Windows Defender AV downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time. +Because Windows Defender Antivirus downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time. Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb). - ### Manage updates for persistent VDIs If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows: + 1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs). + 2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this). + 3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md). + 4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others. + 5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/). -5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. -A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. +6. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. +A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. ### Manage updates for non-persistent VDIs If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image. An example: + 1. Every night or other time when you can safely take your VMs offline, update your base image with the latest [protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). + 2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. - - - ## Configure endpoints for optimal performance + There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including: - - [Randomize scheduled scans](#randomize-scheduled-scans) - - [Use quick scans](#use-quick-scans) - - [Prevent notifications](#prevent-notifications) - - [Disable scans from occurring after every update](#disable-scans-after-an-update) - - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline) + +- [Randomize scheduled scans](#randomize-scheduled-scans) +- [Use quick scans](#use-quick-scans) +- [Prevent notifications](#prevent-notifications) +- [Disable scans from occurring after every update](#disable-scans-after-an-update) +- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline) These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network. - - - ### Randomize scheduled scans -Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline). +Windows Defender Antivirus supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline). Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md). @@ -177,17 +170,17 @@ The start time of the scan itself is still based on the scheduled scan policy **Use Group Policy to randomize scheduled scan start times:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender** and configure the following setting: - - 1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm. +4. Expand the tree to **Windows components > Windows Defender** and configure the following setting: -**Use Configuration Manager to randomize schedule scans:** + - Double-click **Randomize scheduled task times** and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm. + +**Use Configuration Manager to randomize scheduled scans:** See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch). @@ -196,18 +189,19 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for ### Use quick scans You can specify the type of scan that should be performed during a scheduled scan. -Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. +Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. **Use Group Policy to specify the type of scheduled scan:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -3. Click **Policies** then **Administrative templates**. +3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting: - 1. Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**. +4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting: + + - Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. Click **OK**. **Use Configuration Manager to specify the type of scheduled scan:** @@ -217,34 +211,34 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for ### Prevent notifications -Sometimes, Windows Defender AV notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the user interface for Windows Defender AV. +Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface. **Use Group Policy to hide notifications:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings: - -1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. -2. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users. +4. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings: + - Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. + - Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users. **Use Configuration Manager to hide notifications:** -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) -2. Go to the **Advanced** section and configure the following settings: +2. Go to the **Advanced** section and configure the following settings: -1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface. -2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing. + 1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface. -3. Click **OK**. + 2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing. -3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + 3. Click **OK**. + +3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ### Disable scans after an update @@ -255,73 +249,63 @@ This setting will prevent a scan from occurring after receiving an update. You c **Use Group Policy to disable scans after an update:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting: - -1. Double-click the **Turn on scan after signature update** setting and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update. +4. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting: + - Double-click **Turn on scan after signature update** and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update. **Use Configuration Manager to disable scans after an update:** -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) - -2. Go to the **Scheduled scans** section and configure the following setting: - -1. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update. - -3. Click **OK**. - -2. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +2. Go to the **Scheduled scans** section and configure the following setting: +3. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update. +4. Click **OK**. +5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ### Scan VMs that have been offline -This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. +This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. **Use Group Policy to enable a catch-up scan:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting: - -1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans. +2. In the **Group Policy Management Editor** go to **Computer configuration**. +3. Click **Policies** then **Administrative templates**. +4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting: +5. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans. **Use Configuration Manager to disable scans after an update:** -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) -2. Go to the **Scheduled scans** section and configure the following setting: +2. Go to the **Scheduled scans** section and configure the following setting: -1. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans. - -3. Click **OK**. - -2. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +3. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans. +4. Click **OK**. +5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ### Exclusions -Windows Server 2016 contains Windows Defender Antivirus and will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page: +On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page: - [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender) ## Additional resources - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) -- [Project VRC: Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/) +- [Project VRC: Windows Defender Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) -- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) +- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index fa6dae36c3..692b68e71c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Block Potentially Unwanted Applications with Windows Defender AV -description: Enable the Potentially Unwanted Application (PUA) feature in Windows Defender Antivirus to block unwanted software such as adware. -keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, windows defender +title: Block potentially unwanted applications with Windows Defender Antivirus +description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. +keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,76 +11,69 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- -# Detect and block Potentially Unwanted Applications +# Detect and block potentially unwanted applications **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- System Center Configuration Manager -- PowerShell cmdlets -- Microsoft Intune - -The Potentially Unwanted Application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation. Typical PUA behavior includes: + - Various types of software bundling -- Ad-injection into web browsers +- Ad injection into web browsers - Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs) These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## How it works PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions: + - The file is being scanned from the browser - The file is in a folder with "**downloads**" in the path - The file is in a folder with "**temp**" in the path -- The file is on the user's Desktop +- The file is on the user's desktop - The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%* -The file is placed in the quarantine section so it won't run. +The file is placed in the quarantine section so it won't run. When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history). - ## View PUA events -PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. +PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. Hoever, PUA detections will be reported if you have set up email notifications for detections. See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160. +## Configure PUA protection -## Configure the PUA protection feature +You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, or PowerShell cmdlets. -You can enable the PUA protection feature with System Center Configuration Manager, PowerShell cmdlets, or Microsoft Intune. - -You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. +You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +**Use Intune to configure the PUA protection feature** + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use Configuration Manager to configure the PUA protection feature:** -PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. +PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch). @@ -103,16 +96,7 @@ Setting `AuditMode` will detect PUAs but will not block them. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - - -**Use Intune to configure the PUA protection feature** - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - - ## Related topics -- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md) +- [Next gen protection](windows-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) - - diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index da5b515967..67c5b7bdfa 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -11,74 +11,72 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- -# Enable cloud-delivered protection in Windows Defender AV - - +# Enable cloud-delivered protection **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. -- Enterprise security administrators +You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app. -**Manageability available with** +See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. -- Group Policy -- System Center Configuration Manager -- PowerShell cmdlets -- Windows Management Instruction (WMI) -- Microsoft Intune -- Windows Defender Security Center app - - ->[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. - - - -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app. - -See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. - -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections for Windows Defender AV](configure-network-connections-windows-defender-antivirus.md) for more details. +There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. >[!NOTE] >In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. +**Use Intune to enable cloud-delivered protection** -**Use Group Policy to enable cloud-delivered protection:** +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +5. On the **Cloud-delivered protection** switch, select **Enable**. +6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. +7. In the **Submit samples consent** dropdown, select one of the following: -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** - -1. Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. - -1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following: - - 1. **Send safe samples** (1) - 1. **Send all samples** (3) + - **Send safe samples automatically** + - **Send all samples automatically** > [!WARNING] - > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -1. Click **OK**. + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. +8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) **Use Configuration Manager to enable cloud-delivered protection:** See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +**Use Group Policy to enable cloud-delivered protection:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** + +5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. + +6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: + + 1. **Send safe samples** (1) + 2. **Send all samples** (3) + + > [!WARNING] + > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + +7. Click **OK**. **Use PowerShell cmdlets to enable cloud-delivered protection:** @@ -88,10 +86,10 @@ Use the following cmdlets to enable cloud-delivered protection: Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent Always ``` + >[!NOTE] >You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** @@ -106,36 +104,18 @@ SubmitSamplesConsent See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) -**Use Intune to enable cloud-delivered protection** - -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. -5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. -7. In the **Submit samples consent** dropdown, select one of the following: - 1. **Send safe samples automatically** - 2. **Send all samples automatically** - - > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. -8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. - -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) - **Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app** + > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. - 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: -![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) - -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. >[!NOTE] >If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. @@ -143,8 +123,8 @@ For more information about Intune device profiles, including how to create and c ## Related topics - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) -- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) +- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] - [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) - [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index 225ea553da..72996630cf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -11,50 +11,41 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- -# Evaluate Windows Defender Antivirus protection - +# Evaluate Windows Defender Antivirus **Applies to:** -- Windows 10, version 1703 and later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - - -If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection. +Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: +>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: >- Cloud-delivered protection >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking - -It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network. +It explains the important next generation protection features of Windows Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network. You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings. The guide is available in PDF format for offline viewing: + - [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795) You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery: + - [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.2/DisplayScript) > [!IMPORTANT] -> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment. +> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. > -> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see the [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) topic in this library. - +> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md). ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) - - - +- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index d0d4cfd9db..d35db44c87 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Enable the limited periodic scanning feature in Windows Defender AV -description: Limited periodic scanning lets you use Windows Defender AV in addition to your other installed AV providers +title: Enable the limited periodic Windows Defender Antivirus scanning feature +description: Limited periodic scanning lets you use Windows Defender Antivirus in addition to your other installed AV providers keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,61 +11,42 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- -# Use limited periodic scanning in Windows Defender AV - - +# Use limited periodic scanning in Windows Defender Antivirus **Applies to:** -- Windows 10, version 1703 and later - - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. -It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products. +It can only be enabled in certain situations. See [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products. -**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the capabilities of Windows Defender Antivirus to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. +**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. ## How to enable limited periodic scanning -By default, Windows Defender AV will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other AV product is out-of-date, expired, or not working correctly. +By default, Windows Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. -If Windows Defender AV is enabled, the usual options will appear to configure Windows Defender AV on that device: +If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device: ![Windows Defender Security Center app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png) - -If another AV product is installed and working correctly, Windows Defender AV will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options: +If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options: ![Windows Defender Security Center app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png) Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. - ![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png) Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page. - -![When enabled, periodic scanning shows the normal Windows Defender AV options](images/vtp-3ps-lps-on.png) - - - +![When enabled, periodic scanning shows the normal Windows Defender Antivirus options](images/vtp-3ps-lps-on.png) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index a15ae25596..2209e57918 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Apply Windows Defender AV updates after certain events -description: Manage how Windows Defender Antivirus applies proteciton updates after startup or receiving cloud-delivered detection reports. +title: Apply Windows Defender Antivirus updates after certain events +description: Manage how Windows Defender Antivirus applies protection updates after startup or receiving cloud-delivered detection reports. keywords: updates, protection, force updates, events, startup, check for latest, notifications search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,57 +11,44 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Manage event-based forced updates -**Applies to** -- Windows 10 +**Applies to:** -**Audience** - -- Network administrators - -**Manageability available with** - -- Group Policy -- System Center Configuration Manager -- PowerShell cmdlets -- Windows Management Instruction (WMI) - - -Windows Defender AV allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. ## Check for protection updates before running a scan -You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to force Windows Defender AV to check and download protection updates before running a scheduled scan. - - -**Use Group Policy to check for protection updates before running a scan:** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**. - -6. Double-click the **Check for the latest virus and spyware definitions before running a scheduled scan** setting and set the option to **Enabled**. - -7. Click **OK**. +You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. **Use Configuration Manager to check for protection updates before running a scan:** -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) -2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**. +2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**. 3. Click **OK**. -4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +4.[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + +**Use Group Policy to check for protection updates before running a scan:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Policies** then **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**. + +5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**. + +6. Click **OK**. **Use PowerShell cmdlets to check for protection updates before running a scan:** @@ -73,7 +60,6 @@ Set-MpPreference -CheckForSignaturesBeforeRunningScan See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - **Use Windows Management Instruction (WMI) to check for protection updates before running a scan** Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -85,46 +71,39 @@ CheckForSignaturesBeforeRunningScan See the following for more information: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) - - - - - ## Check for protection updates on startup -You can use Group Policy to force Windows Defender AV to check and download protection updates when the machine is started. +You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started. -**Use Group Policy to download protection updates at startup:** +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +3. Click **Policies** then **Administrative templates**. -4. Click **Policies** then **Administrative templates**. +4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. -5. Double-click the **Check for the latest virus and spyware definitions on startup** setting and set the option to **Enabled**. +6. Click **OK**. -6. Click **OK**. +You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running. -You can also use Group Policy, PowerShell, or WMI to configure Windows Defender AV to check for updates at startup even when it is not running. +**Use Group Policy to download updates when Windows Defender Antivirus is not present:** -**Use Group Policy to download updates when Windows Defender AV is not present:** +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +3. Click **Policies** then **Administrative templates**. -4. Click **Policies** then **Administrative templates**. +4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +5. Double-click **Initiate definition update on startup** and set the option to **Enabled**. -6. Double-click the **Initiate definition update on startup** setting and set the option to **Enabled**. +6. Click **OK**. -7. Click **OK**. - -**Use PowerShell cmdlets to download updates when Windows Defender AV is not present:** +**Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present:** Use the following cmdlets: @@ -132,10 +111,9 @@ Use the following cmdlets: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - -**Use Windows Management Instruction (WMI) to download updates when Windows Defender AV is not present:** +**Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present:** Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -146,11 +124,8 @@ SignatureDisableUpdateOnStartupWithoutEngine See the following for more information: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) - - - - + ## Allow ad hoc changes to protection based on cloud-delivered protection Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates. @@ -159,27 +134,21 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi **Use Group Policy to automatically download recent updates based on cloud-delivered protection:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following: - 1. Double-click the **Allow real-time definition updates based on reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**. - 2. Double-click the **Allow notifications to disable definitions based reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. +3. Click **Policies** then **Administrative templates**. +4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following: + 1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. + 2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. ## Related topics -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) - [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - - - diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 00b1ed1c2f..210423199c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -11,50 +11,51 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- -# Manage updates and scans for endpoints that are out of date +# Manage Windows Defender Antivirus updates and scans for endpoints that are out of date -**Applies to** -- Windows 10 +**Applies to:** -**Audience** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -- Network administrators - -**Manageability available with** - -- Group Policy -- System Center Configuration Manager -- PowerShell cmdlets -- Windows Management Instruction (WMI) - - - -Windows Defender AV lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. +Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time. -When the user returns to work and logs on to their PC, Windows Defender AV will immediately check and download the latest protection updates, and run a scan. +When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and download the latest protection updates, and run a scan. ## Set up catch-up protection updates for endpoints that haven't updated for a while -If Windows Defender AV did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md). +If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md). + +**Use Configuration Manager to configure catch-up protection updates:** + +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) + +2. Go to the **Definition updates** section and configure the following settings: + + 1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. + 2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order). + +3. Click **OK**. + +4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). **Use Group Policy to enable and configure the catch-up update feature:** -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. -6. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update. +5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update. -7. Click **OK**. +6. Click **OK**. **Use PowerShell cmdlets to configure catch-up protection updates:** @@ -78,23 +79,11 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) -**Use Configuration Manager to configure catch-up protection updates:** - -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) - -2. Go to the **Definition updates** section and configure the following settings: - - 1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. - 2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order). - -3. Click **OK**. - -4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ## Set the number of days before protection is reported as out-of-date -You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. +You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. **Use Group Policy to specify the number of days before protection is considered out-of-date:** @@ -119,7 +108,7 @@ You can also specify the number of days after which Windows Defender AV protecti ## Set up catch-up scans for endpoints that have not been scanned for a while -You can set the number of consecutive scheduled scans that can be missed before Windows Defender AV will force a scan. +You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan. The process for enabling this feature is: @@ -159,7 +148,7 @@ Set-MpPreference -DisableCatchupQuickScan ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to configure catch-up scans:** @@ -187,9 +176,8 @@ See the following for more information and allowed parameters: ## Related topics -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) - [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) - [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index 650a73dafb..efcd9e0cfc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -11,27 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Manage the schedule for when protection updates should be downloaded and applied -**Applies to** -- Windows 10 +**Applies to:** -**Audience** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -- Network administrators - -**Manageability available with** - -- Group Policy -- System Center Configuration Manager -- PowerShell cmdlets -- Windows Management Instruction (WMI) - - -Windows Defender AV lets you determine when it should look for and download updates. +Windows Defender Antivirus lets you determine when it should look for and download updates. You can schedule updates for your endpoints by: @@ -41,24 +30,6 @@ You can schedule updates for your endpoints by: You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information. -**Use Group Policy to schedule protection updates:** - -> [!IMPORTANT] -> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: - - 1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. - 2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. - 3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. - - **Use Configuration Manager to schedule protection updates:** 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) @@ -73,6 +44,24 @@ You can also randomize the times when each endpoint checks and downloads protect 5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +**Use Group Policy to schedule protection updates:** + +> [!IMPORTANT] +> By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: + + 1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. + 2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. + + **Use PowerShell cmdlets to schedule protection updates:** @@ -102,9 +91,8 @@ See the following for more information and allowed parameters: ## Related topics -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) - [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index 18766e3062..e550220a80 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -11,25 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Manage the sources for Windows Defender Antivirus protection updates -**Applies to** -- Windows 10 +**Applies to:** -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy -- System Center Configuration Manager -- PowerShell cmdlets -- Windows Management Instruction (WMI) -- Mobile Device Management (MDM) +- Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -38,7 +27,7 @@ There are two components to managing protection updates - where the updates are This topic describes where you can specify the updates should be downloaded from, also known as the fallback order. -See the [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). +See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). @@ -161,11 +150,11 @@ See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft. ## Related topics -- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) + +- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) - [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) - [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender AV in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 99051e2f5f..b3541abe11 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -11,21 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Manage Windows Defender Antivirus updates and apply baselines - **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Network administrators - -There are two types of updates related to keeping Windows Defender Antivirus: +There are two types of updates related to keeping Windows Defender Antivirus up to date: 1. Protection updates 2. Product updates @@ -33,14 +28,14 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en ## Protection updates -Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates". +Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates". The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. ## Product updates -Windows Defender AV requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. +Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index de30dd760f..ee85e54424 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -11,24 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Manage updates for mobile devices and virtual machines (VMs) -**Applies to** -- Windows 10 - -**Audience** - -- Network administrators - -**Manageability available with** - -- Group Policy - - +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. @@ -44,7 +34,7 @@ The following topics may also be useful in these situations: ## Opt-in to Microsoft Update on mobile computers without a WSUS connection -You can use Microsoft Update to keep definitions on mobile devices running Windows Defender AV up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. +You can use Microsoft Update to keep definitions on mobile devices running Windows Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. @@ -81,7 +71,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following ## Prevent definition updates when running on battery power -You can configure Windows Defender AV to only download protection updates when the PC is connected to a wired power source. +You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. **Use Group Policy to prevent definition updates on battery power:** @@ -103,4 +93,4 @@ You can configure Windows Defender AV to only download protection updates when t ## Related topics - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Update and manage Windows Defender in Windows 10](deploy-manage-report-windows-defender-antivirus.md) +- [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/TOC.md b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/TOC.md rename to windows/security/threat-protection/windows-defender-antivirus/oldTOC.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index d0306388a6..73d8882279 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -11,28 +11,20 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- -# Prevent users from seeing or interacting with the Windows Defender AV user interface +# Prevent users from seeing or interacting with the Windows Defender Antivirus user interface + **Applies to:** -- Windows 10 - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. ## Hide the Windows Defender Antivirus interface -In Windows 10, versions 1703, hiding the interface will hide Windows Defender AV notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app. +In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app. With the setting set to **Enabled**: @@ -43,7 +35,7 @@ With the setting set to **Disabled** or not configured: ![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] ->Hiding the interface will also prevent Windows Defender AV notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +>Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.": @@ -87,5 +79,5 @@ You can prevent users from pausing scans. This can be helpful to ensure schedule - [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) +- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 79696c63e9..938413082b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -11,26 +11,20 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- -# Report on Windows Defender Antivirus protection +# Report on Windows Defender Antivirus **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** +There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus. -- IT administrators +You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune). -There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender AV. - - - -You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune). - -Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings. +Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx). @@ -46,4 +40,4 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index db4d6528c0..37c8231fb3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -11,26 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/23/2018 +ms.date: 09/03/2018 --- # Restore quarantined files in Windows Defender AV - **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Windows Defender Security Center - -If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender AV quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. +If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. 1. Open **Windows Defender Security Center**. 2. Click **Virus & threat protection** and then click **Scan history**. @@ -43,5 +33,5 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y - [Review scan results](review-scan-results-windows-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 151f4e6a10..802c92f163 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -11,38 +11,30 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- -# Review Windows Defender AV scan results - +# Review Windows Defender Antivirus scan results **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- PowerShell -- Windows Management Instrumentation (WMI) -- System Center Configuration Manager -- Microsoft Intune -- Windows Defender Security Center app +After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. -After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. +**Use Microsoft Intune to review scan results:** +1. In Intune, go to **Devices > All Devices** and select the device you want to scan. -**Use Configuration Manager to review Windows Defender AV scan results:** +2. Click the scan results in **Device actions status**. + +**Use Configuration Manager to review scan results:** See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). -**Use the Windows Defender Security Center app to review Windows Defender AV scan results:** +**Use the Windows Defender Security Center app to review scan results:** 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -54,7 +46,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us -**Use PowerShell cmdlets to review Windows Defender AV scan results:** +**Use PowerShell cmdlets to review scan results:** The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection: @@ -76,20 +68,15 @@ Get-MpThreat See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:** +**Use Windows Management Instruction (WMI) to review scan results:** Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes. -**Use Microsoft Intune to review Windows Defender AV scan results:** - -1. In Intune, go to **Devices > All Devices** and select the device you want to scan. - -2. Click the scan results in **Device actions status**. ## Related topics -- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index cfa4f029ba..9a93cd3335 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -11,46 +11,32 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/10/2018 +ms.date: 09/03/2018 --- - - - - -# Configure and run on-demand Windows Defender AV scans +# Configure and run on-demand Windows Defender Antivirus scans **Applies to:** -- Windows 10 - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Windows Defender AV mpcmdrun utility -- PowerShell -- Windows Management Instrumentation (WMI) -- System Center Configuration Manager -- Microsoft Intune -- Windows Defender Security Center app +- Windows Defender Advanced Threat Protection (Windows Defender ATP) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. -## Quick scan versus full scan and custom scan +## Quick scan versus full scan Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md), which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. -A custom scan allows you to specify files or folders to scan, such as a USB drive. + +**Use Configuration Manager to run a scan:** + +See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. **Use the mpcmdrum.exe command-line utility to run a scan:** @@ -66,10 +52,11 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen -**Use Configuration Manager to run a scan:** +**Use Microsoft Intune to run a scan:** -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. +1. In Intune, go to **Devices > All Devices** and select the device you want to scan. +2. Select **...More** and then select **Quick Scan** or **Full Scan**. **Use the Windows Defender Security Center app to run a scan:** @@ -97,16 +84,9 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) -**Use Microsoft Intune to run a scan:** - -1. In Intune, go to **Devices > All Devices** and select the device you want to scan. - -2. Select **...More** and then select **Quick Scan** or **Full Scan**. - - ## Related topics -- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) +- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 20c62b31b9..4bb34b0d77 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -11,32 +11,17 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/26/2018 +ms.date: 09/03/2018 --- +# Configure scheduled quick or full Windows Defender Antivirus scans -# Configure scheduled quick or full scans for Windows Defender AV - - - -**Applies to** -- Windows 10 - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy -- System Center Configuration Manager -- PowerShell cmdlets -- Windows Management Instruction (WMI) - +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) > [!NOTE] -> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. +> By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans. @@ -86,7 +71,7 @@ Location | Setting | Description | Default setting (if not configured) Scan | Specify the scan type to use for a scheduled scan | Quick scan Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am -Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender scans. This can be useful in VM or VDI deployments. | Enabled +Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender Antivirus scans. This can be useful in VM or VDI deployments. | Enabled **Use PowerShell cmdlets to schedule scans:** @@ -241,8 +226,8 @@ Signature updates | Turn on scan after signature update | A scan will occur imme - [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md) -- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) - [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index b2b7a4640f..592aa7ffe9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -11,26 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/19/2018 +ms.date: 09/03/2018 --- # Specify the cloud-delivered protection level - - **Applies to:** -- Windows 10, version 1703 and later - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy -- System Center Configuration Manager (current branch) -- Intune +- Windows Defender Advanced Threat Protection (Windows Defender ATP) You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. @@ -39,27 +27,6 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi -**Use Group Policy to specify the level of cloud-delivered protection:** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**. - -1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: - 1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files. - 2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection). - -1. Click **OK**. - - -**Use Configuration Manager to specify the level of cloud-delivered protection:** - -1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). - **Use Intune to specify the level of cloud-delivered protection:** 1. Sign in to the [Azure portal](https://portal.azure.com). @@ -80,6 +47,28 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) +**Use Configuration Manager to specify the level of cloud-delivered protection:** + +1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). + +**Use Group Policy to specify the level of cloud-delivered protection:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**. + +1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: + 1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files. + 2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection). + +1. Click **OK**. + + + ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index 28d890360d..ae18d78a72 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -11,18 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Troubleshoot Windows Defender Antivirus reporting in Update Compliance **Applies to:** -- Windows 10 - -**Audience** - -- IT administrators +- Windows Defender Advanced Threat Protection (Windows Defender ATP) When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues. @@ -31,7 +27,7 @@ Typically, the most common indicators of a problem are: - You do not see any devices at all - The reports and information you do see is outdated (older than a few days) -For common error codes and event IDs related to the Windows Defender AV service that are not related to Update Compliance, see the [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md) topic. +For common error codes and event IDs related to the Windows Defender Antivirus service that are not related to Update Compliance, see [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md). There are three steps to troubleshooting these problems: @@ -40,12 +36,12 @@ There are three steps to troubleshooting these problems: 3. Submit support logs >[!IMPORTANT] ->It typically takes 3 days for devices to start appearing in Update Compliance +>It typically takes 3 days for devices to start appearing in Update Compliance. ## Confirm pre-requisites -In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender AV protection: +In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender Antivirus: >[!div class="checklist"] >- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance. @@ -67,4 +63,4 @@ If the above pre-requisites have all been met, you may need to proceed to the ne ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index bea242548e..7d53f93ac2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -11,45 +11,40 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/16/2018 +ms.date: 09/03/2018 --- -# Review event logs and error codes to troubleshoot issues with Windows Defender AV +# Review event logs and error codes to troubleshoot issues with Windows Defender Antivirus +**Applies to:** -**Applies to** -- Windows 10 -- Windows Server 2016 - -**Audience** - -- Enterprise security administrators - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. The tables list: -- [Windows Defender AV event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016) -- [Windows Defender AV client error codes](#error-codes) -- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes) +- [Windows Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016) +- [Windows Defender Antivirus client error codes](#error-codes) +- [Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: + >- Cloud-delivered protection >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking -## Windows Defender AV event IDs +## Windows Defender Antivirus event IDs -Windows Defender AV records event IDs in the Windows event log. +Windows Defender Antivirus records event IDs in the Windows event log. -You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. +You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender Antivirus client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. -The table in this section lists the main Windows Defender AV event IDs and, where possible, provides suggested solutions to fix or resolve the error. +The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. -**To view a Windows Defender AV event** +**To view a Windows Defender Antivirus event** 1. Open **Event Viewer**. 2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**. @@ -61,7 +56,7 @@ The table in this section lists the main Windows Defender AV event IDs and, wher - +
@@ -294,7 +289,7 @@ Symbolic name: Message: @@ -330,7 +325,7 @@ Description of the error. User action: @@ -958,7 +953,7 @@ Message: Description: @@ -1086,7 +1081,7 @@ Message: Description: @@ -1182,7 +1177,7 @@ Message: Description: @@ -1322,7 +1317,7 @@ Message: Description: @@ -1497,7 +1492,7 @@ Symbolic name: Message: @@ -1506,7 +1501,7 @@ Message: Description: @@ -1625,7 +1620,7 @@ Message: Description: @@ -1947,7 +1942,7 @@ Message: Description: @@ -2126,7 +2121,7 @@ Message: Description: @@ -2153,7 +2148,7 @@ Message: Description: @@ -2215,7 +2210,7 @@ Message: Description: @@ -2243,7 +2238,7 @@ Message: Description: @@ -2270,7 +2265,7 @@ Message: Description: @@ -2294,8 +2289,8 @@ User action: @@ -2322,7 +2317,7 @@ Message: Description: @@ -2341,7 +2336,7 @@ Windows Defender Real-time Protection has restarted a feature. It is recommended User action: @@ -2369,7 +2364,7 @@ Message: Description: @@ -2396,7 +2391,7 @@ Message: Description: @@ -2424,7 +2419,7 @@ Message: Description: @@ -2494,7 +2489,7 @@ Message: Description: @@ -2587,7 +2582,7 @@ Message: Description: @@ -2613,7 +2608,7 @@ Message: Description: @@ -2641,7 +2636,7 @@ Message: Description: @@ -2669,10 +2664,10 @@ Message: Description: @@ -2701,7 +2696,7 @@ Message: Description:
Event ID: 1000
-An antimalware scan failed. +An antimalware scan failed.
-The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. +The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Windows Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. To troubleshoot this event:
  1. Run the scan again.
    2. @@ -438,7 +433,7 @@ Message: Description:
-Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: +Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
User: <Domain>\\<User>
Name: <Threat name>
@@ -490,7 +485,7 @@ Message: Description:
-Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following: +Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
User: <Domain>\\<User>
Name: <Threat name>
@@ -549,7 +544,7 @@ Message: Description:
-Windows Defender has restored an item from quarantine. For more information please see the following: +Windows Defender Antivirus has restored an item from quarantine. For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -593,7 +588,7 @@ Message: Description:
-Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following: +Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -640,7 +635,7 @@ Message: Description:
-Windows Defender has deleted an item from quarantine. +Windows Defender Antivirus has deleted an item from quarantine. For more information please see the following:
Name: <Threat name>
@@ -684,7 +679,7 @@ Message: Description:
-Windows Defender has encountered an error trying to delete an item from quarantine. +Windows Defender Antivirus has encountered an error trying to delete an item from quarantine. For more information please see the following:
Name: <Threat name>
@@ -732,7 +727,7 @@ Message: Description:
-Windows Defender has removed history of malware and other potentially unwanted software. +Windows Defender Antivirus has removed history of malware and other potentially unwanted software.
Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
User: <Domain>\\<User>
@@ -763,7 +758,7 @@ The antimalware platform could not delete history of malware and other potential Description:
-Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software. +Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
User: <Domain>\\<User>
@@ -798,7 +793,7 @@ Message: Description:
-Windows Defender has detected a suspicious behavior. +Windows Defender Antivirus has detected a suspicious behavior. For more information please see the following:
Name: <Threat name>
@@ -876,7 +871,7 @@ Message: Description:
-Windows Defender has detected malware or other potentially unwanted software. +Windows Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following:
Name: <Threat name>
@@ -930,7 +925,7 @@ UAC User action:
-No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer. +No action is required. Windows Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender Antivirus interface, click Clean Computer.
-Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. +Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
Name: <Threat name>
@@ -1020,7 +1015,7 @@ Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
NOTE: -Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
    +Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
    • Default Internet Explorer or Microsoft Edge setting
    • User Access Control settings
    • Chrome settings
      • @@ -1036,7 +1031,7 @@ The above context applies to the following client and server versions:
-Client Operating System +Client Operating System Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later @@ -1059,7 +1054,7 @@ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se User action: -No action is necessary. Windows Defender removed or quarantined a threat. +No action is necessary. Windows Defender Antivirus removed or quarantined a threat.
-Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software. +Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software. For more information please see the following:
Name: <Threat name>
@@ -1155,7 +1150,7 @@ Description of the error. User action:
-No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure. +No action is necessary. Windows Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
-Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software. +Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following:
Name: <Threat name>
@@ -1251,7 +1246,7 @@ Description of the error. User action:
-The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below. +The Windows Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below. @@ -1290,7 +1285,7 @@ Verify that the user has permission to access the necessary resources.
Action
- + If this event persists:
  1. Run the scan again.
  2. If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
    3. @@ -1314,7 +1309,7 @@ Symbolic name: Message:
-Windows Defender has deduced the hashes for a threat resource. +Windows Defender Antivirus has deduced the hashes for a threat resource.
-Windows Defender client is up and running in a healthy state. +Windows Defender Antivirus client is up and running in a healthy state.
Current Platform Version: <Current platform version>
Threat Resource Path: <Path>
@@ -1361,7 +1356,7 @@ Message: Description:
-Windows Defender client is up and running in a healthy state. +Windows Defender Antivirus client is up and running in a healthy state.
Platform Version: <Current platform version>
Signature Version: <Definition version>
@@ -1402,7 +1397,7 @@ Message: Description:
-Windows Defender client health report. +Antivirus client health report.
Platform Version: <Current platform version>
Engine Version: <Antimalware Engine version>
@@ -1456,7 +1451,7 @@ Message: Description:
-Windows Defender signature version has been updated. +Antivirus signature version has been updated.
Current Signature Version: <Current signature version>
Previous Signature Version: <Previous signature version>
@@ -1479,7 +1474,7 @@ Windows Defender signature version has been updated. User action:
-No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated. +No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
-The antimalware definition update failed. +The antimalware definition update failed.
-Windows Defender has encountered an error trying to update signatures. +Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: <New version number>
Previous Signature Version: <Previous signature version>
@@ -1584,7 +1579,7 @@ Message: Description:
-Windows Defender engine version has been updated. +Windows Defender Antivirus engine version has been updated.
Current Engine Version: <Current engine version>
Previous Engine Version: <Previous engine version>
@@ -1598,7 +1593,7 @@ Windows Defender engine version has been updated. User action:
-No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated. +No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
-Windows Defender has encountered an error trying to update the engine. +Windows Defender Antivirus has encountered an error trying to update the engine.
New Engine Version:
Previous Engine Version: <Previous engine version>
@@ -1643,7 +1638,7 @@ Description of the error. User action:
-The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update. +The Windows Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update. To troubleshoot this event:
  1. [Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
    2. @@ -1675,7 +1670,7 @@ Message: Description:
-Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. +Windows Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted:
Error Code: <Error code> @@ -1692,7 +1687,7 @@ Description of the error.
User action:
-The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions. +The Windows Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender Antivirus will attempt to revert back to a known-good set of definitions. To troubleshoot this event:
  1. Restart the computer and try again.
    2. @@ -1727,7 +1722,7 @@ Message: Description:
-Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted. +Windows Defender Antivirus could not load antimalware engine because current platform version is not supported. Windows Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
Current Platform Version: <Current platform version>
@@ -1758,7 +1753,7 @@ Message: Description: 		-Windows Defender has encountered an error trying to update the platform. +Windows Defender Antivirus has encountered an error trying to update the platform.
Current Platform Version: <Current platform version>
Error Code: <Error code> @@ -1791,7 +1786,7 @@ Message: Description:
-Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available. +Windows Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender Antivirus platform to maintain the best level of protection available.
Current Platform Version: <Current platform version>
@@ -1822,7 +1817,7 @@ Message: Description: 		-Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine. +Windows Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
Current Signature Version: <Current signature version>
Signature Type: <Signature type>, for example:
    @@ -1880,7 +1875,7 @@ Message: Description:
-Windows Defender used Dynamic Signature Service to discard obsolete signatures. +Windows Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
Current Signature Version: <Current signature version>
Signature Type: <Signature type>, for example:
    @@ -1919,7 +1914,7 @@ Windows Defender used Dynamic Signature Service to discard obsolete signa User action:
-No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. +No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
-Windows Defender has encountered an error trying to use Dynamic Signature Service. +Windows Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
Current Signature Version: <Current signature version>
Signature Type: <Signature type>, for example:
    @@ -2017,7 +2012,7 @@ Message: Description:
-Windows Defender discarded all Dynamic Signature Service signatures. +Windows Defender Antivirus discarded all Dynamic Signature Service signatures.
Current Signature Version: <Current signature version>
@@ -2048,7 +2043,7 @@ Message: Description: 		-Windows Defender downloaded a clean file. +Windows Defender Antivirus downloaded a clean file.
Filename: <File name> Name of the file.
@@ -2081,7 +2076,7 @@ Message: Description:
-Windows Defender has encountered an error trying to download a clean file. +Windows Defender Antivirus has encountered an error trying to download a clean file.
Filename: <File name> Name of the file.
@@ -2100,7 +2095,7 @@ User action:
Check your Internet connectivity settings. -The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. +The Windows Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
-Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot. +Windows Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.
-Windows Defender has encountered an error trying to download and configure Windows Defender Offline. +Windows Defender Antivirus has encountered an error trying to download and configure offline antivirus.
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
@@ -2187,7 +2182,7 @@ Message: Description:
-The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats. +The support for your operating system will expire shortly. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
-The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats. +The support for your operating system has expired. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
-The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. +The support for your operating system has expired. Windows Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
-Windows Defender Real-Time Protection feature has encountered an error and failed. +Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: <Feature>, for example:
    @@ -2284,7 +2279,7 @@ Windows Defender Real-Time Protection feature has encountered an error and faile Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
-
Reason: The reason Windows Defender real-time protection has restarted a feature.
+
Reason: The reason Windows Defender Antivirus real-time protection has restarted a feature.
You should restart the system then run a full scan because it's possible the system was not protected for some time. -The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start. -If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. +The Windows Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. +If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
-Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down. +Windows Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
Feature: <Feature>, for example:
    @@ -2332,7 +2327,7 @@ Windows Defender Real-time Protection has restarted a feature. It is recommended
  • Network Inspection System
-
Reason: The reason Windows Defender real-time protection has restarted a feature.
+
Reason: The reason Windows Defender Antivirus real-time protection has restarted a feature.
-The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support. +The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support.
-Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled. +Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
-Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. +Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
-Windows Defender Real-time Protection feature configuration has changed. +Windows Defender Antivirus real-time protection feature configuration has changed.
Feature: <Feature>, for example:
    @@ -2462,12 +2457,12 @@ Message: Description:
-Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. +Windows Defender Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: <Old value number> -Old Windows Defender configuration value.
+Old antivirus configuration value.
New value: <New value number> -New Windows Defender configuration value.
+New antivirus configuration value.
-Windows Defender engine has been terminated due to an unexpected error. +Windows Defender Antivirus engine has been terminated due to an unexpected error.
Failure Type: <Failure type>, for example: Crash @@ -2525,7 +2520,7 @@ To troubleshoot this event:
    User action:
-The Windows Defender client engine stopped due to an unexpected error. +The Windows Defender Antivirus client engine stopped due to an unexpected error. To troubleshoot this event:
  1. Run the scan again.
    2. @@ -2560,7 +2555,7 @@ Message: Description:
-Windows Defender scanning for malware and other potentially unwanted software has been enabled. +Windows Defender Antivirus scanning for malware and other potentially unwanted software has been enabled.
-Windows Defender scanning for malware and other potentially unwanted software is disabled. +Windows Defender Antivirus scanning for malware and other potentially unwanted software is disabled.
-Windows Defender scanning for viruses has been enabled. +Windows Defender Antivirus scanning for viruses has been enabled.
-Windows Defender scanning for viruses is disabled. +Windows Defender Antivirus scanning for viruses is disabled.
-Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software. +Windows Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
-
Expiration Reason: The reason Windows Defender will expire.
-
Expiration Date: The date Windows Defender will expire.
+
Expiration Reason: The reason Windows Defender Antivirus will expire.
+
Expiration Date: The date Windows Defender Antivirus will expire.
-Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled. +Windows Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
Expiration Reason:
Expiration Date:
@@ -2715,7 +2710,7 @@ Description of the error.
-## Windows Defender client error codes +## Windows Defender Antivirus client error codes If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. This section provides the following information about Windows Defender Antivirus client errors. - The error code @@ -2725,7 +2720,7 @@ This section provides the following information about Windows Defender Antivirus Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes. - +
@@ -2740,7 +2735,7 @@ Use the information in these tables to help troubleshoot Windows Defender Antivi Possible reason @@ -2749,7 +2744,7 @@ This error indicates that you might have run out of memory.
  1. Check the available memory on your device.
  2. Close any unused applications that are running to free up memory on your device.
    3. -
  3. Restart the device and run the scan again. +
  4. Restart the device and run the scan again.
@@ -2765,7 +2760,7 @@ This error indicates that there might be a problem with your security product. - - - - - - - - - - - - - - - - - - -
Error code: 0x80508007
-This error indicates that you might have run out of memory. +This error indicates that you might have run out of memory.
Resolution
  1. Update the definitions. Either:
      -
    1. Click the Update definitions button on the Update tab in Windows Defender. Update definitions in Windows DefenderOr, +
    2. Click the Update definitions button on the Update tab in Windows Defender Antivirus. Update definitions in Windows Defender AntivirusOr,
    3. Download the latest definitions from the Windows Defender Security Intelligence site. Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions. @@ -2781,155 +2776,154 @@ Note: The size of the definitions file downloaded from the site can exceed 60 MB
Error code: 0x80508020
MessageERR_MP_BAD_CONFIGURATION +ERR_MP_BAD_CONFIGURATION
Possible reason -This error indicates that there might be an engine configuration error; commonly, this is related to input -data that does not allow the engine to function properly. +This error indicates that there might be an engine configuration error; commonly, this is related to input +data that does not allow the engine to function properly.
Error code: 0x805080211 +Error code: 0x805080211
MessageERR_MP_QUARANTINE_FAILED +ERR_MP_QUARANTINE_FAILED
Possible reason -This error indicates that Windows Defender failed to quarantine a threat. +This error indicates that Windows Defender Antivirus failed to quarantine a threat.
Error code: 0x80508022 +Error code: 0x80508022
MessageERR_MP_REBOOT_REQUIRED +ERR_MP_REBOOT_REQUIRED
Possible reason -This error indicates that a reboot is required to complete threat removal. +This error indicates that a reboot is required to complete threat removal.
-0x80508023 +0x80508023
MessageERR_MP_THREAT_NOT_FOUND +ERR_MP_THREAT_NOT_FOUND
Possible reason -This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. +This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device.
Resolution -Run the Microsoft Safety Scanner then update your security software and try again. +Run the Microsoft Safety Scanner then update your security software and try again.
Error code: 0x80508024
MessageERR_MP_FULL_SCAN_REQUIRED +ERR_MP_FULL_SCAN_REQUIRED
Possible reason -This error indicates that a full system scan might be required. +This error indicates that a full system scan might be required.
Resolution -Run a full system scan. +Run a full system scan.
Error code: 0x80508025 +Error code: 0x80508025
MessageERR_MP_MANUAL_STEPS_REQUIRED +ERR_MP_MANUAL_STEPS_REQUIRED
Possible reason -This error indicates that manual steps are required to complete threat removal. +This error indicates that manual steps are required to complete threat removal.
Resolution -Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history. +Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history.
Error code: 0x80508026 +Error code: 0x80508026
MessageERR_MP_REMOVE_NOT_SUPPORTED +ERR_MP_REMOVE_NOT_SUPPORTED
Possible reason -This error indicates that removal inside the container type might not be not supported. +This error indicates that removal inside the container type might not be not supported.
Resolution -Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. +Windows Defender Antivirus is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
Error code: 0x80508027 +Error code: 0x80508027
MessageERR_MP_REMOVE_LOW_MEDIUM_DISABLED +ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
Possible reason -This error indicates that removal of low and medium threats might be disabled. +This error indicates that removal of low and medium threats might be disabled.
Resolution -Check the detected threats and resolve them as required. +Check the detected threats and resolve them as required.
Error code: 0x80508029 +Error code: 0x80508029
MessageERROR_MP_RESCAN_REQUIRED +ERROR_MP_RESCAN_REQUIRED
Possible reason -This error indicates a rescan of the threat is required. +This error indicates a rescan of the threat is required.
Resolution -Run a full system scan. +Run a full system scan.
Error code: 0x80508030 +Error code: 0x80508030
MessageERROR_MP_CALLISTO_REQUIRED +ERROR_MP_CALLISTO_REQUIRED
Possible reason -This error indicates that an offline scan is required. +This error indicates that an offline scan is required.
Resolution -Run Windows Defender Offline. You can read about how to do this in the Windows Defender Offline -article. +Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
Error code: 0x80508031 +Error code: 0x80508031
MessageERROR_MP_PLATFORM_OUTDATED +ERROR_MP_PLATFORM_OUTDATED
Possible reason -This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. +This error indicates that Windows Defender Antivirus does not support the current version of the platform and requires a new version of the platform.
Resolution -You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection. +You can only use Windows Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
-The following error codes are used during internal testing of Windows Defender AV. +The following error codes are used during internal testing of Windows Defender Antivirus. If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint. - +
@@ -2943,7 +2937,7 @@ If you see these errors, you can try to [update definitions](manage-updates-base 0x80501004
Internal error codes
-ERROR_MP_NO_INTERNET_CONN +ERROR_MP_NO_INTERNET_CONN @@ -3237,19 +3231,19 @@ This is an internal error. The cause is not clearly defined. ERR_MP_REMOVE_FAILED -This is an internal error. It might be triggered when malware removal is not successful. +This is an internal error. It might be triggered when malware removal is not successful.
-0x80508018 +0x80508018 -ERR_MP_SCAN_ABORTED +ERR_MP_SCAN_ABORTED -This is an internal error. It might have triggered when a scan fails to complete. +This is an internal error. It might have triggered when a scan fails to complete.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index f13977e93c..d4fbc2f0c0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Defender AV with Group Policy -description: Configure Windows Defender AV settings with Group Policy +title: Configure Windows Defender Antivirus with Group Policy +description: Configure Windows Defender Antivirus settings with Group Policy keywords: group policy, GPO, configuration, settings search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,18 +11,18 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- -# Use Group Policy settings to configure and manage Windows Defender AV +# Use Group Policy settings to configure and manage Windows Defender Antivirus **Applies to:** -- Windows 10, version 1703 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints. -In general, you can use the following procedure to configure or change Windows Defender AV group policy settings: +In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings: 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. @@ -41,15 +41,15 @@ The following table in this topic lists the Group Policy settings available in W Location | Setting | Documented in topic ---|---|--- -Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) +Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) -Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) -Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) -Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) -MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) +Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) @@ -59,23 +59,23 @@ Network inspection system | Specify additional definition sets for network traff Network inspection system | Turn on definition retirement | Not used Network inspection system | Turn on protocol recognition | Not used Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) Reporting | Configure Watson events | Not used Reporting | Configure Windows software trace preprocessor components | Not used Reporting | Configure WPP tracing level | Not used @@ -89,11 +89,11 @@ Root | Define addresses to bypass proxy server | Not used Root | Define proxy auto-config (.pac) for connecting to the network | Not used Root | Define proxy server for connecting to the network | Not used Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) -Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) -Root | Turn off routine remediation | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) -Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) +Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) +Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) +Root | Turn off routine remediation | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) +Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) @@ -103,25 +103,25 @@ Scan | Configure local setting override for schedule scan day | [Prevent or allo Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) -Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) -Scan | Turn on heuristics | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Scan network files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Scan packed executables | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Scan removable drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Create a system restore point | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) +Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) +Scan | Turn on heuristics | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Scan archive files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Scan network files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Scan packed executables | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Scan removable drives | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) Signature updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) Signature updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) Signature updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) @@ -136,9 +136,9 @@ Signature updates | Initiate definition update on startup | [Manage event-based Signature updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) Signature updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) Signature updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) -Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) -Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) +Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) +Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 403cf6a2e3..618ef1fa2f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender AV with Configuration Manager and Intune +title: Configure Windows Defender Antivirus with Configuration Manager and Intune description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh @@ -11,14 +11,18 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/19/2018 +ms.date: 09/03/2018 --- -# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV +# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus -If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV. +**Applies to:** -In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV. +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. + +In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus. See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 8a77b98ed5..65ac1a5a70 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 12/12/2017 +ms.date: 09/03/2018 --- -# Use PowerShell cmdlets to configure and manage Windows Defender AV +# Use PowerShell cmdlets to configure and manage Windows Defender Antivirus **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx). @@ -27,7 +27,7 @@ For a list of the cmdlets and their functions and available parameters, see the PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. > [!NOTE] -> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367). +> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367). Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. @@ -36,7 +36,7 @@ You can [configure which settings can be overridden locally with local policy ov PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_. -**Use Windows Defender AV PowerShell cmdlets:** +**Use Windows Defender Antivirus PowerShell cmdlets:** 1. Click **Start**, type **powershell**, and press **Enter**. 2. Click **Windows PowerShell** to open the interface. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index f8c35eb6c8..4d68937d13 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender AV with WMI +title: Configure Windows Defender Antivirus with WMI description: Use WMI scripts to configure Windows Defender AV. keywords: wmi, scripts, windows management instrumentation, configuration search.product: eADQiWindows 10XVcnh @@ -11,22 +11,22 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 09/03/2018 --- -# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV +# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender Antivirus **Applies to:** -- Windows 10 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx). -Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md). +Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md). -The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts. +The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts. Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index fc5487d680..3c436236fe 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -11,18 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/21/2018 +ms.date: 09/03/2018 --- # Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection **Applies to:** -- Windows 10, version 1703 and later - -**Audience** - -- Enterprise security administrators +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. @@ -79,5 +75,5 @@ You can also [configure Windows Defender AV to automatically receive new protect [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy. +[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy. [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index db9fd10f0d..2aa61cadf2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -11,26 +11,18 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/04/2018 +ms.date: 09/03/2018 --- - # Windows Defender Antivirus compatibility - **Applies to:** -- Windows 10 -- Windows Server 2016 - -**Audience** - -- Enterprise security administrators - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. -However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). +However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index ae39992504..c0484875ec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -11,60 +11,51 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Windows Defender Antivirus in Windows 10 and Windows Server 2016 -**Applies to** -- Windows 10 -- Windows Server 2016 +**Applies to:** -Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -This library of documentation is for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network. +Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. -For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). +Windows Defender Antivirus includes: +- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus. +- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection") +- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research -Windows Defender AV can be managed with: -- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) -- Microsoft Intune - -It can be configured with: +You can configure and manage Windows Defender Antivirus with: - System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) - Microsoft Intune - PowerShell - Windows Management Instrumentation (WMI) - Group Policy -Some of the highlights of Windows Defender AV include: -- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus. -- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection") -- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research - - >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: +>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: >- Cloud-delivered protection >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking ## What's new in Windows 10, version 1803 -- The [Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. -- The [Virus & threat protection area in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) now includes a section for Ransomware protection. It includes Controlled folder access settings and Ransomware recovery settings. +- The [block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. +- The [Virus & threat protection area in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) now includes a section for ransomware protection. It includes controlled folder access settings and ransomware recovery settings. ## What's new in Windows 10, version 1703 -New features for Windows Defender AV in Windows 10, version 1703 include: -- [Updates to how the Block at First Sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md) +New features for Windows Defender Antivirus in Windows 10, version 1703 include: +- [Updates to how the block at first sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md) - [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md) - [Windows Defender Antivirus protection in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) -We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender AV, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios: -- [Evaluation guide for Windows Defender AV](evaluate-windows-defender-antivirus.md) -- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md) +We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender Antivirus, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios: +- [Evaluation guide for Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) +- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md) @@ -74,25 +65,17 @@ Windows Defender AV has the same hardware requirements as Windows 10. For more i - [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx) - [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx) +Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016; however, [there are some differences](windows-defender-antivirus-on-windows-server-2016.md). -Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic. +## Related topics -Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md). - - - - -## In this library - -Topic | Description -:---|:--- -[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) | The Windows Defender Security Center combines the settings and notifications from the previous Windows Defender AV app and Windows Settings in one easy-to-manage place -[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) | Windows Defender AV can be used on Windows Server 2016, and features the same configuration and management capabilities as the Windows 10 version - with some added features for automatic exclusions -[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) | Windows Defender AV operates in different modes depending on whether it detects other AV products or if you are using Windows Defender Advanced Threat Protection -[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script -[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools -[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings -[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected -[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues -[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here +[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) +[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) +[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) +[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) +[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) +[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) +[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md) +[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index f8fb6d41ba..2c18d5b068 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -11,30 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/11/2018 +ms.date: 09/03/2018 --- - # Windows Defender Antivirus on Windows Server 2016 - **Applies to:** -- Windows Server 2016 - -**Audience** - -- Enterprise security administrators -- Network administrators - - -**Manageability available with** - -- Group Policy -- System Center Configuration Manager -- PowerShell -- Windows Management Instrumentation (WMI) - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index c58ed524ef..4f28c692b5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -11,25 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Run and review the results of a Windows Defender Offline scan - **Applies to:** -- Windows 10, version 1607 and later - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy -- PowerShell cmdlets -- Windows Management Instruction (WMI) +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). @@ -147,4 +136,4 @@ Windows Defender Offline scan results will be listed in the [Scan history sectio ## Related topics - [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index e7349b1a3f..ae068a7b88 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -11,23 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 09/03/2018 --- # Windows Defender Antivirus in the Windows Defender Security Center app -**Applies to** - -- Windows 10, version 1703 and later - -**Audience** - -- End-users - -**Manageability available with** - -- Windows Defender Security Center app +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Defender Security Center. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index cf8105dc69..f876e2a21b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md index ac9277f3b2..19441d1b3a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 03/01/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 92a3184a4d..689be7ba29 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index 3544866752..8b526e85fa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index 9210e50905..e1d9bba88b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index ec754cf12c..c939e91051 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index 26b4d23de4..b6c2c868d6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 09a77338da..36e0ac5981 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index 3089c59df8..c4b962b01a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index 5ba8623822..ee4c5fe937 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index dcc657973f..054ee9ef62 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 3330eda208..44b08ac93f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 06/08/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index 66187c838a..953ead6f1e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index a72ff3932a..dbc018a25b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index 16266b4bae..f5511d3cc8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index eace7b9b57..c756426699 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/02/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index e40454320d..a97aa2c7cd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index 699a7c233a..b21e2e2528 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 30344b2d69..ec420bcac6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index 77e783422f..9eec93864f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 55249cd6d8..76e4917930 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 58f90360cf..7f38968703 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index 51965b4116..1848f8085f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index b86eb4c12e..1e07df2d5b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 5ee0ccdb96..7c12e10af2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/02/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 0e6056ffe2..3457f579f9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 2df842862c..c3be5b8cd7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 34d351396b..6acc47d3c4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index 215ef8ea76..e81f42d528 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index a73fc8b1cd..bca3d32254 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 3e7efbb672..393294a921 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -6,6 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index be67db5038..cea7ab6ca2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index b14ec68862..01f5f91d5d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -5,6 +5,7 @@ ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium author: brianlic-msft ms.pagetype: security ms.date: 09/21/2017 diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index faeb7da296..7b6244b2eb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index da3b193ffe..8f9183d2d5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 01886f6af8..c03fb9d05e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index 5ade426b41..b620e305a4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index 5593a53034..a915311c12 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index 4fba782a8d..6ef53ce437 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index bac088407a..1ac1c9ce81 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index b442b268b0..000441d121 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index d4fdf2d40e..71956ee4d9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index da6e9d1a9c..536d75e6ad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index 2ffbc23507..b880da4f7e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index f3bef329a4..0785d8c4b0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 7a8937b222..dfb5a0b633 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index b62e5a9c01..6f54125e98 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index f27ecb0b8a..5de1967090 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index 9becb2ec65..d77a10fb74 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 08cd3572ad..d7dec8dac9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index a9c80b2eac..cda020c5b7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 685667b11c..8911d1bf9e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 10/13/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 995eb8fedc..f4d78c2168 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index 6812987ac1..5eb4f002d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 7d0bc2af2c..df08c99d15 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index 39ac2f8cc8..174b721e32 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index d31c811eb4..6fab819f0e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 1bc35b8cf9..a6b7813076 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 0590a63b72..6d3979d91f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index 6c210aa053..453ab0eb53 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index ec71166da6..27c90949d6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index fe25d088f2..b78412c268 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 009f8a35ab..5e696490b6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index 4e1b579be2..66ac0616c3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 10/13/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 8c9da9bfcd..c85924b254 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 07a4161fda..35b9675e4c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index b216fa6fa5..b8dff87c25 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 7b9bbb1637..fdba7959a0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 4ec88b21fc..a7077bd6b7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index 7e6d3a3a64..cf5e0d7301 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index e2a66c497c..93e36b568f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index c7817633da..56ef43a232 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 31ac2a2881..bf60367a08 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 1b711c83d1..46a0ba3967 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index b584cf1375..612e3824d2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index d0acae691d..45529acef2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 71bfcb91e5..e5cd39f92c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index 9f11c8482a..686d4be09d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 19b0fe1159..36b1d0017d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 09a6f698ed..6d7fb0b8d9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index 3f65a1e334..292c50818f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 544b30162f..47b6d2df84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index 2c487d8854..9926340d47 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 8400f6cb17..9da9555294 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: andreabichsel +ms.localizationpriority: medium msauthor: v-anbic ms.date: 08/27/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index f2d785d66a..740a8eab56 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -18,7 +18,7 @@ ms.date: 05/03/2018 - Windows 10 - Windows Server 2016 -When WDAC policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies. +Running Appication Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies. Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](#create-initial-default-policy). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 7303a1371c..54c89364d5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: jsuther1974 ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md index c91ecd2bc3..e49dcb1440 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index c2ea74a274..b6683d45c4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: jsuther1974 ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index a8c0e32665..46f8a8a3c8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: jsuther1974 ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 2012791205..857ab2ea09 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha ms.date: 05/17/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md index 41f09c0b09..68bc862fd3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md +++ b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index b5fdd41d57..26155f371a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: jsuther1974 -ms.date: 08/16/2018 +ms.date: 08/31/2018 --- # Microsoft recommended block rules @@ -137,6 +137,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -705,7 +706,7 @@ Microsoft recommends that you block the following Microsoft-signed applications - + - You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md). You can filter the health state list by the following status: @@ -61,7 +46,7 @@ You can view the machine details when you click on a misconfigured or inactive m ![Windows Defender ATP sensor filter](images/atp-machine-health-details.png) -In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page. +In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. >[!NOTE] >Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 432cfcfa13..3ff19840f0 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # Enable conditional access to better protect users, devices, and data **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -69,89 +64,9 @@ The following example sequence of events explains conditional access in action: 4. The manual or automated investigation and remediation is completed and the threat is removed. Windows Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. 5. Users can now access applications. - - - ## Configure conditional access -This section guides you through all the steps you need to take to properly implement conditional access. - -### Before you begin ->[!WARNING] ->It's important to note that Azure AD registered devices is not supported in this scenario.
->Only Intune enrolled devices are supported. - -You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune: - - -- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) -- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) -- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup). - - - -There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal. - -> [!NOTE] -> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. - -Take the following steps to enable conditional access: -- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center -- Step 2: Turn on the Windows Defender ATP integration in Intune -- Step 3: Create the compliance policy in Intune -- Step 4: Assign the policy -- Step 5: Create an Azure AD conditional access policy - - -### Step 1: Turn on the Microsoft Intune connection -1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**. -2. Toggle the Microsoft Intune setting to **On**. -3. Click **Save preferences**. - - -### Step 2: Turn on the Windows Defender ATP integration in Intune -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **Device compliance** > **Windows Defender ATP**. -3. Set **Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection** to **On**. -4. Click **Save**. - - -### Step 3: Create the compliance policy in Intune -1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**. -2. Select **Device compliance** > **Policies** > **Create policy**. -3. Enter a **Name** and **Description**. -4. In **Platform**, select **Windows 10 and later**. -5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level: - - - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant. - - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant. - - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant. - - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant. - -6. Select **OK**, and **Create** to save your changes (and create the policy). - -### Step 4: Assign the policy -1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**. -2. Select **Device compliance** > **Policies**> select your Windows Defender ATP compliance policy. -3. Select **Assignments**. -4. Include or exclude your Azure AD groups to assign them the policy. -5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance. - -### Step 5: Create an Azure AD conditional access policy -1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**. -2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**. -3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes. - -4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes. - -5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes. - -6. Select **Enable policy**, and then **Create** to save your changes. - -For more information, see [Enable Windows Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) - + ## Related topic -- [Configure advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [Configure conditional access in Windows Defender ATP](configure-conditional-access-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index c4633c09c3..922143b7f4 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md new file mode 100644 index 0000000000..f48dd12b3e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md @@ -0,0 +1,38 @@ +--- +title: +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 07/01/2018 +--- + +# Configure attack surface reduction + +You can configure attack surface reduction with a number of tools, including: + +- Microsoft Intune +- System Center Configuration Manager +- Group Policy +- PowerShell cmdlets + + +The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools). + +## In this section +Topic | Description +:---|:--- +[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements +[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes +[Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps +[Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains +[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps +[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and aopps that are typically used for by exploit-seeking malware +[Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network + diff --git a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..7e52942346 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md @@ -0,0 +1,96 @@ +--- +title: Configure conditional access in Windows Defender ATP +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Configure conditional access in Windows Defender ATP +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +This section guides you through all the steps you need to take to properly implement conditional access. + +### Before you begin +>[!WARNING] +>It's important to note that Azure AD registered devices is not supported in this scenario.
+>Only Intune enrolled devices are supported. + +You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune: + + +- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) +- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) +- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup). + + + +There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal. + +> [!NOTE] +> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. + +Take the following steps to enable conditional access: +- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center +- Step 2: Turn on the Windows Defender ATP integration in Intune +- Step 3: Create the compliance policy in Intune +- Step 4: Assign the policy +- Step 5: Create an Azure AD conditional access policy + + +### Step 1: Turn on the Microsoft Intune connection +1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**. +2. Toggle the Microsoft Intune setting to **On**. +3. Click **Save preferences**. + + +### Step 2: Turn on the Windows Defender ATP integration in Intune +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **Device compliance** > **Windows Defender ATP**. +3. Set **Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection** to **On**. +4. Click **Save**. + + +### Step 3: Create the compliance policy in Intune +1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**. +2. Select **Device compliance** > **Policies** > **Create policy**. +3. Enter a **Name** and **Description**. +4. In **Platform**, select **Windows 10 and later**. +5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level: + + - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant. + - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant. + - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant. + - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant. + +6. Select **OK**, and **Create** to save your changes (and create the policy). + +### Step 4: Assign the policy +1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**. +2. Select **Device compliance** > **Policies**> select your Windows Defender ATP compliance policy. +3. Select **Assignments**. +4. Include or exclude your Azure AD groups to assign them the policy. +5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance. + +### Step 5: Create an Azure AD conditional access policy +1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**. +2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**. +3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes. + +4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes. + +5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes. + +6. Select **Enable policy**, and then **Create** to save your changes. + +For more information, see [Enable Windows Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 24160d9cd2..1d3703c9be 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 07/16/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 980252189b..ba9cdde442 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -18,10 +18,7 @@ ms.date: 04/24/2018 **Applies to:** - Group Policy -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 83f63e9c62..4d35506749 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index cbc1b85dda..d0bf0a6cbd 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) - System Center 2012 Configuration Manager or later versions diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 8236a40cf4..ea54c42092 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index c0ae298a7a..8b93f17477 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 07/12/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..82a78124e7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md @@ -0,0 +1,283 @@ +--- +title: Configure managed security service provider support +description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP +keywords: managed security service provider, mssp, configure, integration +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Configure managed security service provider integration + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) + +[!include[Prereleaseinformation](prerelease.md)] + +You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration. + +>[!NOTE] +>The following terms are used in this article to distinguish between the service provider and service consumer: +> - MSSPs: Security organizations that offer to monitor and manage security devices for an organization. +> - MSSP customers: Organizations that engage the services of MSSPs. + +The integration will allow MSSPs to take the following actions: +- Get access to MSSP customer's Windows Defender Security Center portal +- Get email notifications, and +- Fetch alerts through security information and event management (SIEM) tools + +Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal. + +Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. + + +In general, the following configuration steps need to be taken: + +- **Grant the MSSP access to Windows Defender Security Center**
+This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant. + +- **Configure alert notifications sent to MSSPs**
+This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer. + +- **Fetch alerts from MSSP customer's tenant into SIEM system**
+This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools. + +- **Fetch alerts from MSSP customer's tenant using APIs**
+This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. + + +## Grant the MSSP access to the portal + +>[!NOTE] +> These set of steps are directed towards the MSSP customer.
+> Access to the portal can can only be done by the MSSP customer. + +As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. + +Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. + +You'll need to take the following 2 steps: +- Add MSSP user to your tenant as a guest user +- Grant MSSP user access to Windows Defender Security Center + +### Add MSSP user to your tenant as a guest user +Add a user who is a member of the MSSP tenant to your tenant as a guest user. + +To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator). + +### Grant MSSP user access to Windows Defender Security Center +Grant the guest user access and permissions to your Windows Defender Security Center tenant. + +Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. + +If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md). + +If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md). + +>[!NOTE] +>There is no difference between the Member user and Guest user roles from RBAC perspective. + +It is recommended that groups are created for MSSPs to make authorization access more manageable. + +As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. + +## Access the Windows Defender Security Center MSSP customer portal + +>[!NOTE] +>These set of steps are directed towards the MSSP. + +By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. + +MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. + +In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage. + + +Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL: + +1. As an MSSP, login to Azure AD with your credentials. + +2. Switch directory to the MSSP customer's tenant. + +3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field. + +4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`. + +## Configure alert notifications that are sent to MSSPs + +>[!NOTE] +>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer. + +After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met. + +For more information, see [Create rules for alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md#create-rules-for-alert-notifications). + +These check boxes must be checked: + - **Include organization name** - The customer name will be added to email notifications + - **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal + + +## Fetch alerts from MSSP customer's tenant into the SIEM system + +>[!NOTE] +>This action is taken by the MSSP. + + +To fetch alerts into your SIEM system you'll need to take the following steps: + +Step 1: Create a third-party application + +Step 2: Get access and refresh tokens from your customer's tenant + +Step 3: Whitelist your application on Windows Defender Security Center + + + +### Step 1: Create an application in Azure Active Directory (Azure AD) +You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant. + +1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/). + +2. Select **Azure Active Directory** > **App registrations**. + +3. Click **New application registration**. + +4. Specify the following values: + + - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name) + - Application type: Web app / API + - Sign-on URL: `https://SiemMsspConnector` + +5. Click **Create**. The application is displayed in the list of applications you own. + +6. Select the application, then click **Settings** > **Properties**. + +7. Copy the value from the **Application ID** field. + +8. Change the value in the **App ID URI** to: `https:///SiemMsspConnector` (replace \ with the tenant name. + +9. Ensure that the **Multi-tenanted** field is set to **Yes**. + +10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`. + +11. Click **Save**. + +12. Select **Keys** and specify the following values: + + - Description: Enter a description for the key. + - Expires: Select **In 1 year** + +13. Click **Save**. Save the value is a safe place, you'll need this + +### Step 2: Get access and refresh tokens from your customer's tenant +This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow. + +After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant. + + +1. Create a new folder and name it: `MsspTokensAcquisition`. + +2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder. + + >[!NOTE] + >In line 30, replace `authorzationUrl` with `authorizationUrl`. + +3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder: + ``` + param ( + [Parameter(Mandatory=$true)][string]$clientId, + [Parameter(Mandatory=$true)][string]$secret, + [Parameter(Mandatory=$true)][string]$tenantId + ) + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + + # Load our Login Browser Function + Import-Module .\LoginBrowser.psm1 + + # Configuration parameters + $login = "https://login.microsoftonline.com" + $redirectUri = "https://SiemMsspConnector" + $resourceId = "https://graph.windows.net" + + Write-Host 'Prompt the user for his credentials, to get an authorization code' + $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f + $login, $tenantId, $clientId, $redirectUri, $resourceId) + Write-Host "authorzationUrl: $authorizationUrl" + + # Fake a proper endpoint for the Redirect URI + $code = LoginBrowser $authorizationUrl $redirectUri + + # Acquire token using the authorization code + + $Body = @{ + grant_type = 'authorization_code' + client_id = $clientId + code = $code + redirect_uri = $redirectUri + resource = $resourceId + client_secret = $secret + } + + $tokenEndpoint = "$login/$tenantId/oauth2/token?" + $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body + $token = $Response.access_token + $refreshToken= $Response.refresh_token + + Write-Host " ----------------------------------- TOKEN ---------------------------------- " + Write-Host $token + + Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- " + Write-Host $refreshToken + ``` +4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder. + +5. Run the following command: + `Set-ExecutionPolicy -ExecutionPolicy Bypass` + +6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId ` + + - Replace \ with the Application ID you got from the previous step. + - Replace \ with the application key you created from the previous step. + - Replace \ with your customer's tenant ID. + +7. You'll be asked to provide your credentials and consent. Ignore the page redirect. + +8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. + +### Step 3: Whitelist your application on Windows Defender Security Center +You'll need to whitelist the application you created in Windows Defender Security Center. + +You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you. + +1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID. + +2. Click **Settings** > **SIEM**. + +3. Select the **MSSP** tab. + +4. Enter the **Application ID** from the first step and your **Tenant ID**. + +5. Click **Authorize application**. + +You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md). + +- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value. +- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). + +## Fetch alerts from MSSP customer's tenant using APIs +For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md). + +## Related topics +- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) +- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) +- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) +- [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 23f06ea316..d9a8498c73 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -18,10 +18,7 @@ ms.date: 05/29/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index cf4dafd48d..d31a895006 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -1,15 +1,15 @@ --- title: Onboard servers to the Windows Defender ATP service description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor. -keywords: onboard server, server, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers +keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas -ms.localizationpriority: high -ms.date: 08/08/2018 +ms.localizationpriority: medium +ms.date: 09/06/2018 --- # Onboard servers to the Windows Defender ATP service @@ -19,25 +19,28 @@ ms.date: 08/08/2018 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server, version 1803 +- Windows Server, 2019 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) + Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. The service supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 - Windows Server, version 1803 +- Windows Server 2019 -## Onboard Windows Server 2012 R2 and Windows Server 2016 +## Windows Server 2012 R2 and Windows Server 2016 -To onboard your servers to Windows Defender ATP, you’ll need to: +To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to: - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. -- Turn on server monitoring from the Windows Defender Security Center portal. +- Turn on server monitoring from Windows Defender Security Center. - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. >[!TIP] @@ -97,8 +100,8 @@ Agent Resource | Ports | winatp-gw-aus.microsoft.com | 443| | winatp-gw-aue.microsoft.com |443 | -## Onboard Windows Server, version 1803 -You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +## Windows Server, version 1803 and Windows Server 2019 +To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). @@ -134,7 +137,7 @@ The following capabilities are included in this integration: > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. - Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. -- Server investigation - Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach +- Server investigation - Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach >[!IMPORTANT] >- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. @@ -143,7 +146,7 @@ The following capabilities are included in this integration: ## Offboard servers -You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. +You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index f499b17917..5c36c805e4 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index ed37cdaedb..03f3013863 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md new file mode 100644 index 0000000000..e9d21b6f95 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md @@ -0,0 +1,63 @@ +--- +title: Create custom detection rules in Windows Defender ATP +description: Learn how to create custom detections rules based on advanced hunting queries +keywords: create custom detections, detections, advanced hunting, hunt, detect, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + + +# Create custom detections rules +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +1. In the navigation pane, select **Advanced hunting**. + +2. Select an existing query that you'd like to base the monitor on or create a new query. + +3. Select **Create detection rule**. + +4. Specify the alert details: + + - Alert title + - Severity + - Category + - Description + - Recommended actions + +5. Click **Create**. + +> [!TIP] +> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.
+> When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by this rule. After that, the rule will automatically run every 24 hours.
+> TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours. + +## Manage existing custom detection rules +View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by each rule. You can also modify existing rules. + +1. In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections created in the system. + +2. Select one of the rules to take any of the following actions: + - Open related alerts - See all the alerts that were raised based to this rule + - Run - Run the selected detection immediately. + + > [!NOTE] + > The next run for the query will be in 24 hours after the last run. + + - Edit - Modify the settings of the rule. + - Modify query - View and edit the query itself. + - Turn off - Stop the query from running. + - Delete + + +## Related topic +- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 43933756ec..229300b01e 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md index 2e13780e25..b98dc92230 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -16,10 +16,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 26e859fb08..80d84f08c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index 1d1154af3b..4896e983e7 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md index bddab1a14d..1afddb33b9 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -32,8 +29,6 @@ Set the baselines for calculating the score of Windows Defender security control 1. In the navigation pane, select **Settings** > **Secure Score**. - ![Image of Secure Score controls from Preferences setup menu](images/atp-enable-security-analytics.png) - 2. Select the security control, then toggle the setting between **On** and **Off**. 3. Click **Save preferences**. diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 44e55b2b9b..123c537dc8 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md new file mode 100644 index 0000000000..760908772b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md @@ -0,0 +1,38 @@ +--- +title: Evaluate Windows Defender Advanced Threat Protection +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 08/10/2018 +--- + +# Evaluate Windows Defender ATP +Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. + +You can evaluate Windows Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp). + +You can also evaluate the different security capabilities in Windows Defender ATP by using the following instructions. + +## Evaluate attack surface reduction +These capabilities help prevent attacks and exploitations from infecting your organization. +- [Evaluate attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md) +- [Evaluate exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md) +- [Evaluate network protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md) +- [Evaluate controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md) +- [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md) +- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) + +## Evaluate next generation protection +Next gen protections help detect and block the latest threats. +- [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) + + +## See Also +[Get started with Windows Defender Advanced Threat Protection](get-started.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index 9fe88c8887..03354b9f6a 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -19,10 +19,7 @@ ms.date: 05/21/2018 **Applies to:** - Event Viewer -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 137a1b8070..68a5bbfdf5 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 11/09/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index 8864102a57..860ff1eee2 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 10/23/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 91c12aa3e0..1de9e6fc6b 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 10/23/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md new file mode 100644 index 0000000000..99adb3128e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -0,0 +1,54 @@ +--- +title: Get started with Windows Defender Advanced Threat Protection +description: Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. +keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Get started with Windows Defender Advanced Threat Protection +Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. + +The following capabilities are available across multiple products that make up the Windows Defender ATP platform. + +**Attack surface reduction**
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. + +**Next generation protection**
+To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. + +**Endpoint protection and response**
+Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. + +**Auto investigation and remediation**
+In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. + +**Secure score**
+Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. + +**Advanced hunting**
+Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. + +**Management and APIs**
+Integrate Windows Defender Advanced Threat Protection into your existing workflows. + +**Microsoft threat protection**
+Bring the power of Microsoft threat protection to your organization. + +## In this section +Topic | Description +:---|:--- +[Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | Learn about the requirements for onboarding machines to the platform. +[Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time. +[Preview features](preview-windows-defender-advanced-threat-protection.md) | Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) | Explains the data storage and privacy details related to Windows Defender ATP. +[Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC). +[Evaluate Windows Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Windows Defender ATP and test features out. +[Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. \ No newline at end of file diff --git a/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md similarity index 98% rename from windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md rename to windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md index 04430822f3..199ece9336 100644 --- a/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha ms.date: 08/01/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/images/active-alerts-tile.png b/windows/security/threat-protection/windows-defender-atp/images/active-alerts-tile.png new file mode 100644 index 0000000000..19428a4156 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/active-alerts-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-features.png b/windows/security/threat-protection/windows-defender-atp/images/advanced-features.png new file mode 100644 index 0000000000..614b37509d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/advanced-features.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png index bafa469657..4a894f8c27 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png and b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png new file mode 100644 index 0000000000..b62bd16313 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png index 6950882187..9d46d16055 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png index f43355e6e2..e023ffdfd6 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png index 1b6c2dfa10..1d9c37de33 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG index dcaa87034d..680603087c 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png index 4fcc40c32c..ec05ebcd1f 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png index 7a975960a1..40a8d079a4 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png index b2cdc68a24..2ac2a20e91 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png b/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png index 82565d784f..deefc7b684 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png index c2c13fe289..80ee13a00e 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png index 62e88527b3..c92c48edf0 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-cloud-discovery-dashboard-menu.png b/windows/security/threat-protection/windows-defender-atp/images/atp-cloud-discovery-dashboard-menu.png new file mode 100644 index 0000000000..df043c168e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-cloud-discovery-dashboard-menu.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png index e46f058e86..2d4b4fc334 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png index 6d0e7a9d55..ffff95d0b6 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details-page.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details-page.png new file mode 100644 index 0000000000..043255312e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details-page.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png new file mode 100644 index 0000000000..0135cd0a3f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-evidence-tab.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-evidence-tab.png new file mode 100644 index 0000000000..0b52a39faa Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-evidence-tab.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-details.png new file mode 100644 index 0000000000..5875c6fdb3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-tab.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-tab.png new file mode 100644 index 0000000000..7944809cde Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-tab.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-investigations-tab.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-investigations-tab.png new file mode 100644 index 0000000000..ffac35fc9b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-investigations-tab.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-machine-tab.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-machine-tab.png new file mode 100644 index 0000000000..1e4d52ff8d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-machine-tab.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-queue.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-queue.png new file mode 100644 index 0000000000..a2a61cb49b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-queue.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-mgt-pane.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-mgt-pane.png new file mode 100644 index 0000000000..7d02d3d6ed Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-mgt-pane.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png index e2e3ae3944..4aa7b0b33b 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png index 9347d09c04..2a637f7560 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png index eccd6e9aec..1b65743d36 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mcas-settings.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mcas-settings.png new file mode 100644 index 0000000000..11e12c2890 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-mcas-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png index ee2cf3dc71..94b1da42ea 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png index 55113991e6..8da2532df7 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png index af05f88e0b..415835330e 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-rename-incident.png b/windows/security/threat-protection/windows-defender-atp/images/atp-rename-incident.png new file mode 100644 index 0000000000..3df94c2e4d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-rename-incident.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png index 5a4816bf80..56a204ca39 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png index 0989362804..3be42e4c9d 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png index dce4ee3f5e..e39ee3c1ed 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png index 2fcb58e44f..e3f37f7626 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png b/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png index c2b81ca99a..dc9414f4cf 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/cloud-apps.png b/windows/security/threat-protection/windows-defender-atp/images/cloud-apps.png new file mode 100644 index 0000000000..0c1aa96a37 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/cloud-apps.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/cloud-discovery.png b/windows/security/threat-protection/windows-defender-atp/images/cloud-discovery.png new file mode 100644 index 0000000000..f4ff016260 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/cloud-discovery.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/dashboard.png index 974708504f..a91410b6a2 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/dashboard.png and b/windows/security/threat-protection/windows-defender-atp/images/dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/io.png b/windows/security/threat-protection/windows-defender-atp/images/io.png index a03e5fb917..4f2babfee6 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/io.png and b/windows/security/threat-protection/windows-defender-atp/images/io.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk-tile.png b/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk-tile.png new file mode 100644 index 0000000000..04480e2b04 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-list.png b/windows/security/threat-protection/windows-defender-atp/images/machines-list.png new file mode 100644 index 0000000000..8ffba20f49 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/machines-list.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/mss.png b/windows/security/threat-protection/windows-defender-atp/images/mss.png index 63a22c2e50..2935e70089 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/mss.png and b/windows/security/threat-protection/windows-defender-atp/images/mss.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/new-secure-score-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/new-secure-score-dashboard.png new file mode 100644 index 0000000000..b302d30f54 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/new-secure-score-dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/new-ssot.png b/windows/security/threat-protection/windows-defender-atp/images/new-ssot.png new file mode 100644 index 0000000000..2dc4cba2f2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/new-ssot.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/sec-ops-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/sec-ops-dashboard.png new file mode 100644 index 0000000000..f858a4664a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/sec-ops-dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/status-tile.png b/windows/security/threat-protection/windows-defender-atp/images/status-tile.png index 452918b63f..bdc4ec022d 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/status-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/status-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ta.png b/windows/security/threat-protection/windows-defender-atp/images/ta.png new file mode 100644 index 0000000000..db89f750a7 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ta.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/threat-analytics-report.png b/windows/security/threat-protection/windows-defender-atp/images/threat-analytics-report.png new file mode 100644 index 0000000000..374a1e58b2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/threat-analytics-report.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/top-recommendations.png b/windows/security/threat-protection/windows-defender-atp/images/top-recommendations.png new file mode 100644 index 0000000000..2b08ddae2e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/top-recommendations.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/win10-endpoint-users.png b/windows/security/threat-protection/windows-defender-atp/images/win10-endpoint-users.png new file mode 100644 index 0000000000..04eaa248a9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/win10-endpoint-users.png differ diff --git a/windows/security/identity-protection/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png similarity index 100% rename from windows/security/identity-protection/images/windows-defender-system-guard-boot-time-integrity.png rename to windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png diff --git a/windows/security/identity-protection/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png similarity index 100% rename from windows/security/identity-protection/images/windows-defender-system-guard-validate-system-integrity.png rename to windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png diff --git a/windows/security/identity-protection/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard.png similarity index 100% rename from windows/security/identity-protection/images/windows-defender-system-guard.png rename to windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard.png diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index 5f1f375b3f..6e47b6ddea 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -16,10 +16,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index f57e046676..6640bb6e9f 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -16,10 +16,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 8a0c91b597..29592bd0f8 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -16,10 +16,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index c6beecee0e..c88e3f9b5e 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -10,13 +10,12 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 08/01/2018 +ms.date: 09/03/2018 --- # Investigate machines in the Windows Defender ATP Machines list **Applies to:** - - Windows Defender Advanced Threat Protection (Windows Defender ATP) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) @@ -148,76 +147,13 @@ From the list of events that are displayed in the timeline, you can examine the ![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png) -You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine. +You can also use the [Artifact timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine. Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of meta data on the file or IP address. The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. -## Add machine tags -You can add tags on machines during an investigation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. -You can add tags on machines using the following ways: -- By setting a registry key value -- By using the portal - -### Add machine tags by setting a registry key value -Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list. - ->[!NOTE] -> Applicable only on the following machines: ->- Windows 10, version 1709 or later ->- Windows Server, version 1803 or later ->- Windows Server 2016 ->- Windows Server 2012 R2 - -Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. - -Use the following registry key entry to add a tag on a machine: - -- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` -- Registry key value (string): Group - ->[!NOTE] ->The device tag is part of the machine information report that’s generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. - - -### Add machine tags using the portal -Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. - -1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: - - - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. - - You can also get to the alert page through the file and IP views. - -2. Open the **Actions** menu and select **Manage tags**. - - ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) - -3. Enter tags on the machine. To add more tags, click the + icon. -4. Click **Save and close**. - - ![Image of adding tags on a machine](images/atp-save-tag.png) - - Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines. - -### Manage machine tags -You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. - -![Image of adding tags on a machine](images/atp-tag-management.png) - -## Use machine groups in an investigation -Machine group affiliation can represent geographic location, specific activity, importance level and others. - -You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). - -You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). - -In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index 778f8d48b4..c2460df138 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -16,10 +16,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -112,7 +109,7 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows ![Image of final preference set up](images\atp-final-preference-setup.png) -9. A dedicated cloud instance of Windows Defender Security Center portal is being created at this time. This step will take an average of 5 minutes to complete. +9. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete. ![Image of Windows Defender ATP cloud instance](images\atp-windows-cloud-instance-creation.png) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index eade1924be..2969a1b1a1 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -16,10 +16,7 @@ ms.date: 05/08/2018 # Create and manage machine groups in Windows Defender ATP **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Azure Active Directory - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -42,7 +39,7 @@ As part of the process of creating a machine group, you'll: >A machine group is accessible to all users if you don’t assign any Azure AD groups to it. -## Add a machine group +## Create a machine group 1. In the navigation pane, select **Settings** > **Machine groups**. diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..eb5a096cf1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md @@ -0,0 +1,81 @@ +--- +title: Create and manage machine tags +description: Use machine tags to group machines to capture context and enable dynamic list creation as part of an incident +keywords: tags, machine tags, machine groups, groups, remediation, level, rules, aad group, role, assign, rank +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/13/2018 +--- + +# Create and manage machine tags +Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic location, specific activity, importance level and others. + +You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). + +You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + +In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter. + + +Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. + +You can add tags on machines using the following ways: +- By setting a registry key value +- By using the portal + +## Add machine tagsby setting a registry key value +Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list. + +>[!NOTE] +> Applicable only on the following machines: +>- Windows 10, version 1709 or later +>- Windows Server, version 1803 or later +>- Windows Server 2016 +>- Windows Server 2012 R2 + +Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. + +Use the following registry key entry to add a tag on a machine: + +- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` +- Registry key value (string): Group + +>[!NOTE] +>The device tag is part of the machine information report thats generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. + + +## Add machine tags using the portal +Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. + +1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + + You can also get to the alert page through the file and IP views. + +2. Open the **Actions** menu and select **Manage tags**. + + ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) + +3. Enter tags on the machine. To add more tags, click the + icon. +4. Click **Save and close**. + + ![Image of adding tags on a machine](images/atp-save-tag.png) + + Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines. + +### Manage machine tags +You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. + +![Image of adding tags on a machine](images/atp-tag-management.png) + + diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index 3906ca3861..d75eefe80b 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -10,63 +10,62 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 09/03/2018 --- # View and organize the Windows Defender ATP Machines list **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink) -The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. +The **Machines list** shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days. -Use the Machines list in these main scenarios: +At a glance you'll see information such as domain, risk level, OS platform, and other details. + + +There are several options you can choose from to customize the machines list view. +On the top navigation you can: +- Customize columns to add or remove columns +- Export the entire list in CSV format +- Select the items to show per page +- Navigate between pages +- Apply filters + + +Use the machine list in these main scenarios: - **During onboarding**
During the onboarding process, the **Machines list** is gradually populated with machines as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. + + >[NOTE] + > Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is. +Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. + - **Day-to-day work**
- The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. + The list enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts. Sorting machines by **Active alerts**, helps identify the most vulnerable machines and take action on them. -## Sort, filter, and download the list of machines from the Machines list -You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order. -Filter the **Machines list** by **Time**, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, **Groups**, or **Tags** to focus on certain sets of machines, according to the desired criteria. +![Image of machines list with list of machines](images/machines-list.png) -You can also download the entire list in CSV format using the **Export to CSV** feature. +## Sort and filter the machine list +You can apply the following filters to limit the list of alerts and get a more focused view. -![Image of machines list with list of machines](images/atp-machines-list-view2.png) -You can use the following filters to limit the list of machines displayed during an investigation: - -**Time period**
-- 1 day -- 3 days -- 7 days -- 30 days -- 6 months - -**Risk level**
+### Risk level Machine risk levels are indicators of the active threats that machines could be exposed to. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. -**OS Platform**
-- Windows 10 -- Windows Server 2012 R2 -- Windows Server 2016 -- Other +### OS Platform +Limit the alerts queue view by selecting the OS platform that you're interested in investigating. - -**Sensor health state**
+### Health state Filter the list to view specific machines grouped together by the following machine health states: - **Active** – Machines that are actively reporting sensor data to the service. -- **Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to: +- **Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to: - No sensor data - Impaired communications @@ -74,7 +73,7 @@ Filter the list to view specific machines grouped together by the following mach - **Inactive** – Machines that have completely stopped sending signals for more than 7 days. -**Security state**
+### Security state Filter the list to view specific machines that are well configured or require attention based on the Windows Defender security controls that are enabled in your organization. @@ -83,39 +82,9 @@ Filter the list to view specific machines that are well configured or require at For more information, see [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md). -**Malware category alerts**
-Filter the list to view specific machines grouped together by the following malware categories: - - **Ransomware** – Ransomware use common methods to encrypt files using keys that are known only to attackers. As a result, victims are unable to access the contents of the encrypted files. Most ransomware display or drop a ransom note—an image or an HTML file that contains information about how to obtain the attacker-supplied decryption tool for a fee. - - **Credential theft** – Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers. - These tools collect credentials and other information from browser records, key presses, email and instant messages, voice and video conversations, and screenshots. They are used in cyberattacks to establish control and steal information. - - **Exploit** – Exploits take advantage of unsecure code in operating system components and applications. Exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine. Exploits are found in both commodity malware and malware used in targeted attacks. - - **Backdoor** - Backdoors are malicious remote access tools that allow attackers to access and control infected machines. Backdoors can also be used to exfiltrate data. - - **General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks. - - **PUA** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software. - -**Groups and tags**
+### Tags You can filter the list based on the grouping and tagging that you've added to individual machines. -## Export machine list to CSV -You can download a full list of all the machines in your organization, in CSV format. Click the **Export to CSV** button to download the entire list as a CSV file. - ->[NOTE] -> Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is. -Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. - -## Sort the Machines list -You can sort the **Machines list** by the following columns: - -- **Machine name** - Name or GUID of the machine -- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data -- **Last seen** - Date and time when the machine last reported sensor data -- **Internal IP** - Local internal Internet Protocol (IP) address of the machine -- **Active Alerts** - Number of alerts reported by the machine by severity -- **Active malware alerts** - Number of active malware detections reported by the machine - -> [!NOTE] -> The **Active malware detections** filter column will only appear if your machines are using [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product. - ## Related topics - [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 4860f91956..00142f3502 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -10,51 +10,30 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 09/03/2018 --- # Manage Windows Defender Advanced Threat Protection alerts **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) -Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu. +Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**. You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view. Selecting an alert in either of those places brings up the **Alert management pane**. -![Image of alert status](images/atp-alert-status.png) +![Image of alert status](images/atp-alerts-selected.png) -## Change the status of an alert - -You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts. - -For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis. - -Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert. - -## Alert classification -You can specify if an alert is a true alert or a false alert. +## Link to another incident +You can create a new incident from the alert or link to an existing incident. ## Assign alerts If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself. -## Add comments and view the history of an alert -You can add comments and view historical events about an alert to see previous changes made to the alert. - -Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section. - -Added comments instantly appear on the pane. ## Suppress alerts There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. @@ -83,32 +62,18 @@ Create custom rules to control when alerts are suppressed, or resolved. You can 1. Select the alert you'd like to suppress. This brings up the **Alert management** pane. -2. Scroll down to the **Create a supression rule** section. +2. Select **Create a supression rule**. - ![Image of alert status](images/atp-create-suppression-rule.png) - -3. Enter an alert title then select an indicator of compromise from the drop-down list. - - ![Image of alert status](images/atp-new-suppression-rule.png) - - > [!NOTE] - > You cannot create a custom or blank suppression rule. You must start from an existing alert. - -4. Specify the suppression conditions by entering values for any of the following: - - Sha1 - - File name - - Folder path - - > [!NOTE] - > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions by removing the deselecting the checkbox. +3. Select the **Trigerring IOC**. -5. Specify the action and scope on the alert.
- You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization. +4. Specify the action and scope on the alert.
+ You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on a specific machine group. -6. Click **Save and close**. +5. Enter a rule name and a comment. +6. Click **Save**. -### View the list of suppression rules +#### View the list of suppression rules 1. In the navigation pane, select **Settings** > **Alert suppression**. @@ -116,6 +81,28 @@ Create custom rules to control when alerts are suppressed, or resolved. You can For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) +## Change the status of an alert + +You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts. + +For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis. + +Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert. + + + +## Alert classification +You can choose not to set a classification, or specify if an alert is a true alert or a false alert. + + +## Add comments and view the history of an alert +You can add comments and view historical events about an alert to see previous changes made to the alert. + +Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section. + +Added comments instantly appear on the pane. + + ## Related topics - [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..a5df326a4d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md @@ -0,0 +1,194 @@ +--- +title: Learn about the automated investigations dashboard in Windows Defender Security Center +description: View the list of automated investigations, its status, detection source and other details. +keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Learn about the automated investigations dashboard +By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. + +>[!NOTE] +>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. + +Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide. + +From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria. + +![Image of Auto investigations page](images/atp-auto-investigations-list.png) + + +**Filters**
+You can use the following operations to customize the list of Automated investigations displayed: + + +**Triggering alert**
+The alert the initiated the Automated investigation. + +**Status**
+An Automated investigation can be in one of the following status: + +Status | Description +:---|:--- +| No threats found | No malicious entities found during the investigation. +| Failed | A problem has interrupted the investigation, preventing it from completing. | +| Partially remediated | A problem prevented the remediation of some malicious entities. | +| Pending action | Remediation actions require review and approval. | +| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | +| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | +| Running | Investigation ongoing. Malicious entities found will be remediated. | +| Remediated | Malicious entities found were successfully remediated. | +| Terminated by system | Investigation was stopped by the system. | +| Terminated by user | A user stopped the investigation before it could complete. +| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | + + + +**Detection source**
+Source of the alert that initiated the Automated investigation. + +**Threat**
+The category of threat detected during the Automated investigation. + + +**Tags**
+Filter using manually added tags that capture the context of an Automated investigation. + +**Machines**
+You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine. + +**Machine groups**
+Apply this filter to see specific machine groups that you might have created. + +**Comments**
+Select between filtering the list between Automated investigations that have comments and those that don't. + +## Analyze Automated investigations +You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information. + +In this view, you'll see the name of the investigation, when it started and ended. + +![Image of investigation details window](images/atp-analyze-auto-ir.png) + +The progress ring shows two status indicators: +- Orange ring - shows the pending portion of the investigation +- Green ring - shows the running time portion of the investigation + +![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png) + +In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds. + +The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval. + +From this view, you can also view and add comments and tags about the investigation. + +### Investigation page +The investigation page gives you a quick summary on the status, alert severity, category, and detection source. + +You'll also have access to the following sections that help you see details of the investigation with finer granularity: + +- Investigation graph +- Alerts +- Machines +- Threats +- Entities +- Log +- Pending actions + + >[!NOTE] + >The Pending actions tab is only displayed if there are actual pending actions. + +- Pending actions history + + >[!NOTE] + >The Pending actions history tab is only displayed when an investigation is complete. + +In any of the sections, you can customize columns to further expand to limit the details you see in a section. + +### Investigation graph +The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. + +### Alerts +Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. + +Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing. + +Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history. + +Clicking on an alert title brings you the alert page. + +### Machines +Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated. + +Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. + +Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users. + +Clicking on an machine name brings you the machine page. + +### Threats +Shows details related to threats associated with this investigation. + +### Entities +Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean. + +### Log +Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration. + +As with other sections, you can customize columns, select the number of items to show per page, and filter the log. + +Available filters include action type, action, status, machine name, and description. + +You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. + +### Pending actions history +This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation. + + +## Pending actions +If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image. + +![Image of pending actions](images\atp-pending-actions-notification.png) + +When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**. + + +The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed. + +![Image of pending actions page](images/atp-pending-actions-list.png) + +Use the Customize columns drop-down menu to select columns that you'd like to show or hide. + +From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. + +Pending actions are grouped together in the following tabs: +- Quarantine file +- Remove persistence +- Stop process +- Expand pivot +- Quarantine service + +>[!NOTE] +>The tab will only appear if there are pending actions for that category. + +### Approve or reject an action +You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed. + +Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. + +![Image of pending action selected](images/atp-pending-actions-file.png) + +From the panel, you can click on the Open investigation page link to see the investigation details. + +You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. + +## Related topic +- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index c090006878..46adcfac19 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 06/14/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index 89eeee2c0e..9a359aaabc 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index bae5b989f8..d3ed61a295 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/windows-defender-atp/manage-edr.md new file mode 100644 index 0000000000..97ff8bd046 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-edr.md @@ -0,0 +1,27 @@ +--- +title: Manage endpoint detection and response capabilities +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 07/01/2018 +--- + +# Manage endpoint detection and response capabilities + +Manage the alerts queue, investigate machines in the machines list, take response actions, and hunt for possible threats in your organization using advanced hunting. + + +## In this section +Topic | Description +:---|:--- +[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Windows Defender Security Center. +[Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. +[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats. +[Query data using advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index 6db6e02136..1fa0357ade 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md new file mode 100644 index 0000000000..2e0966140c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md @@ -0,0 +1,53 @@ +--- +title: Overview of management and APIs +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Overview of management and APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink) + +Windows Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform. + +Acknowledging that customer environments and structures can vary, Windows Defender ATP was created with flexibility and granular control to fit varying customer requirements. + +Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Windows Defender ATP supports Group Policy and other third-party tools used for machines management. + +Windows Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: +- Globally distributed organizations and security teams +- Tiered model security operations teams +- Fully segregated devisions with single centralized global security operations teams + +The Windows Defender ATP solution is built on top of an integration-ready platform: +- It supports integration with a number of security information and event management (SIEM) solutions and also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution. +- It supports a rich set of application programming interface (APIs) providing flexibility for those who are already heavily invested in data enrichment and automation: + - Enriching events coming from other security systems with foot print or prevalence information + - Triggering file or machine level response actions through APIs + - Keeping systems in-sync such as importing machine tags from asset management systems into Windows Defender ATP, synchronize alerts and incidents status cross ticketing systems with Windows Defender ATP. + +An important aspect of machine management is the ability to analyze the environment from varying and broad perspectives. This often helps drive new insights and proper priority identification: +- The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures. +- Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Windows Defender ATP alerts and secure score of machines. The platform also supports full customization of the reports, including mashing of Windows Defender ATP data with your own data stream to produce business specific reports. + +## Related topics +- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) +- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) +- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Role-based access control](rbac-windows-defender-advanced-threat-protection.md) + + diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md new file mode 100644 index 0000000000..77af2ccba3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -0,0 +1,60 @@ +--- +title: Configure Microsoft Cloud App Security integration +description: Learn how to turn on the settings to enable the Windows Defender ATP integration with Microsoft Cloud App Security. +keywords: cloud, app, security, settings, integration, discovery, report +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 + +--- + +# Configure Microsoft Cloud App Security integration +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. + +1. In the navigation pane, select **Preferences setup** > **Advanced features**. +2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. +3. Click **Save preferences**. + + + +![Advanced features](images/atp-mcas-settings.png) + +Once activated, Windows Defender ATP will immediately start forwarding discovery signals to Cloud App Security. + +## View the data collected + +1. Browse to the [Cloud App Security portal](https://portal.cloudappsecurity.com). + +2. Navigate to the Cloud Discovery dashboard. + + ![Image of menu to cloud discovery dashboard](images/atp-cloud-discovery-dashboard-menu.png) + +3. Select **Win10 Endpoint Users report**, which contains the data coming from Windows Defender ATP. + + ![Win10 endpoint users](./images/win10-endpoint-users.png) + +This report is similar to the existing discovery report with one major difference: you can now benefit from visibility to the machine context. + +Notice the new **Machines** tab that allows you to view the data split to the device dimensions. This is available in the main report page or any subpage (for example, when drilling down to a specific cloud app). + +![Cloud discovery](./images/cloud-discovery.png) + + +For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/en-us/cloud-app-security/discovered-apps). + +If you are interested in trying Microsoft Cloud App Security, see [Microsoft Cloud App Security Trial](https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1). + +## Related topic +- [Microsoft Cloud App Security integration](microsoft-cloud-app-security-integration.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md new file mode 100644 index 0000000000..4b4962140d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md @@ -0,0 +1,40 @@ +--- +title: Microsoft Cloud App Security integration overview +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Microsoft Cloud App Security integration overview +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security). + +## Windows Defender ATP and Cloud App Security integration + +Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. + +The integration provides the following major improvements to the existing Cloud App Security discovery: + +- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers. + +- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Windows Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Windows Defender Security Center settings and you're good to go. + +- Device context - Cloud traffic logs lack device context. Windows Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. + +For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/en-us/cloud-app-security/discovered-apps). + +## Related topic + +- [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index aee31bf368..84f62905aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 07/01/2018 # Minimum requirements for Windows Defender ATP **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) There are some minimum requirements for onboarding machines to the service. diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0ec05caa9c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md @@ -0,0 +1,44 @@ +--- +title: Managed security service provider (MSSP) support +description: Understand how Windows Defender ATP integrates with managed security service providers (MSSP) +keywords: mssp, integration, managed, security, service, provider +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Managed security service provider support + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) + +[!include[Prereleaseinformation](prerelease.md)] + +Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network. + + +To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Windows Defender ATP. + + +Windows Defender ATP adds support for this scenario and to allow MSSPs to take the following actions: + +- Get access to MSSP customer's Windows Defender Security Center portal +- Get email notifications, and +- Fetch alerts through security information and event management (SIEM) tools + + +## Related topic +- [Configure managed security service provider integration](configure-mssp-support-windows-defender-advanced-threat-protection.md) + + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index 0b481a47f3..af9a42584f 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # Offboard machines from the Windows Defender ATP service **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - macOS - Linux - Windows Server 2012 R2 diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 5f44382d18..34c07f0734 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 07/01/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -You need to onboard machines to Windows Defender ATP before you can use the service. +You need to turn on the sensor to give visibility within Windows Defender ATP. For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index 46f931e363..1428a1b310 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 06/18/2018 - Windows 8.1 Enterprise - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md new file mode 100644 index 0000000000..39ee66db3c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/onboard.md @@ -0,0 +1,32 @@ +--- +title: Configure and manage Windows Defender ATP capabilities +description: Configure and manage Windows Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls +keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Configure and manage Windows Defender ATP capabilities + +Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization. + + +## In this section +Topic | Description +:---|:--- +[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. +[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. +[Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | Configure the security controls in Secure score to increase the security posture of your organization. +Configure Microsoft threat protection integration| Configure other solutions that integrate with Windows Defender ATP. +Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. +[Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. + + + diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md new file mode 100644 index 0000000000..98d08c46d6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md @@ -0,0 +1,32 @@ +--- +title: Overview of attack surface reduction +description: Learn about the attack surface reduction capability in Windows Defender ATP +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 07/01/2018 +--- + +# Overview of attack surface reduction + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in your organization from new and emerging threats. + +| Capability | Description | +|------------|-------------| +| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protects and maintains the integrity of the system as it starts and while it's running, and validates system integrity through local and remote attestation. In addition, container isolation for Microsoft Edge helps protect host operating system from malicious wbsites. | +| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. | +| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) | Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV) | +| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) | Extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. | +| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. | +| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) | reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV. | +| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the local device. | + diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md new file mode 100644 index 0000000000..9b2912076d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md @@ -0,0 +1,33 @@ +--- +title: Custom detections overview +description: Understand how how you can leverage the power of advanced hunting to create custom detections +keywords: custom detections, detections, advanced hunting, hunt, detect, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + + +# Custom detections overview +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. + +This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. +Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Windows Defender Security Center. These alerts will be treated like any other alert in the system. + +This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats. + +## Related topic +- [Create custom detection rules](custom-detection-rules.md) + + diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md new file mode 100644 index 0000000000..31b65ba716 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -0,0 +1,44 @@ +--- +title: Overview of endpoint detection and response capabilities +description: Learn about the endpoint detection and response capabilities in Windows Defender ATP +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Overview of endpoint detection and response + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +The Widows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat. + + +When a threat is detected, alerts are be created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. + +Inspired by the "assume breach" mindset, Windows Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes and others. This information is stored for six months, enabling an analyst to travel back in time to the starting point of an attack and pivot in various views and approach an investigation through multiple possible vectors. + +The response capabilities give you the power to promptly remediate threats by acting on the affected entities. + +## In this section + +Topic | Description +:---|:--- +Security operations dashboard | This is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. +Alerts queue | This dashboard shows all the alerts that were seen on machines. Learn how you can view and organize the queue, or how to manage and investigate alerts. +Machines list | Shows a list of machines where alerts have been generated. Learn how you can investigate machines, or how to search for specific events in a timeline, and others. +Take response actions | Learn about the available response actions and how to apply them on machines and files. + + + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md new file mode 100644 index 0000000000..02cf4a6b5a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md @@ -0,0 +1,27 @@ +--- +title: Hardware-based isolation (Windows 10) +description: Learn about how hardware-based isolation in Windows 10 helps to combat malware. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.localizationpriority: medium +ms.author: justinha +ms.date: 08/16/2018 +--- + +# Hardware-based isolation in Windows 10 + +**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Hardware-based isolation helps protect system integrity in Windows 10 and is integreated with Windows Defender ATP. + +| Feature | Description | +|------------|-------------| +| [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) | Isolates untrusted sites and protects your company while your employees browse the Internet. | +| [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md) | Protects and maintains the integrity of the system | + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..598138a8ef --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md @@ -0,0 +1,35 @@ +--- +title: Overview of advanced hunting capabilities +description: Hunt for possible threats accross your organization using a powerful search and query tool +keywords: advanced hunting, hunting, search, query, tool, intellisense, telemetry +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/12/2018 +--- + +# Overview of advanced hunting +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. + +With advanced hunting, you can take advantage of the following capabilities: + +- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level. +- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types. +- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience. +- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language. + +## In this section +Topic | Description +:---|:--- +[Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization. + + + diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..222e5cfffa --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md @@ -0,0 +1,76 @@ +--- +title: Overview of Secure score in Windows Defender Security Center +description: Expand your visibility into the overall security posture of your organization +keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Overview of Secure score in Windows Defender Security Center +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. + +>[!IMPORTANT] +> This feature is available for machines on Windows 10, version 1703 or later. + + +The **Secure score dashboard** displays a snapshot of: +- Microsoft secure score +- Secure score over time +- Top recommendations +- Improvement opportunities + + +![Secure score dashboard](images/new-secure-score-dashboard.png) + +## Microsoft secure score +The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. + +![Image of Microsoft secure score tile](images/mss.png) + +Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). + +The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). + +In the example image, the total points for the Windows security controls and Office 365 add up to 602 points. + +You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md). + +## Secure score over time +You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. + +![Image of the security score over time tile](images/new-ssot.png) + +You can mouse over specific date points to see the total score for that security control is on a specific date. + + +## Top recommendations +Reflects specific actions you can take to significantly increase the security stance of your organization and how many points will be added to the secure score if you take the recommended action. + +![Top recommendations tile](images/top-recommendations.png) + +## Improvement opportunities +Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control. + +Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to reflect the list of machines where improvements can be made. + + + +![Improvement opportunities](images/io.png) + + +Within the tile, you can click on each control to see the recommended optimizations. + +Clicking the link under the Misconfigured machines column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. + +## Related topic +- [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md new file mode 100644 index 0000000000..1277a549bf --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -0,0 +1,36 @@ +--- +title: Overview of Windows Defender ATP +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Overview of Windows Defender ATP capabilities + +Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. + +## In this section + +Topic | Description +:---|:--- +[Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. +[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers. +[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. +[Automated investigation and investigation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +[Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. +[Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) | Use a powerful search and query language to create custom queries and detection rules. +[Management and APIs](management-apis.md) | Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. +[Microsoft threat protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. +[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Windows Defender Security Center. + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index bbee7b2a62..aa1c10660e 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # Windows Defender Advanced Threat Protection portal overview **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -52,14 +47,15 @@ Area | Description :---|:--- (1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Automated investigations**, **Machines list**, **Service health**, **Advanced hunting**, and **Settings**. **Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard. -**Alerts** | View separate queues of new, in progress, resolved alerts, alerts assigned to you. +**Incidents** | View alerts that have been aggregated as incidents. +**Alerts** | View alerts generated from machines in your organizations. **Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation. +**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. -**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. **Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard. **(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. -**(3) Search, Community center, Time settings, Help and support, Feedback** | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.

**Community center** -Access the Community center to learn, collaborate, and share experiences about the product.

**Time settings** - Gives you access to the configuration settings where you can set time zones and view license information.

**Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.

**Feedback** - Access the feedback button to provide comments about the portal. +**(3) Community center, Time settings, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product.

**Time settings** - Gives you access to the configuration settings where you can set time zones and view license information.

**Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.

**Feedback** - Access the feedback button to provide comments about the portal. ## Windows Defender ATP icons The following table provides information on the icons used all throughout the portal: diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index ee949dfc75..269e894610 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -14,11 +14,6 @@ ms.date: 04/24/2018 # Create and build Power BI reports using Windows Defender ATP data **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index cc40a22908..538450ea18 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # PowerShell code examples for the custom threat intelligence API **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index 769e84dfb8..76c28f6e1f 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -15,15 +15,8 @@ ms.date: 04/24/2018 # Configure Windows Defender Security Center settings **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. @@ -32,7 +25,7 @@ Use the **Settings** menu to modify general settings, advanced features, enable Topic | Description :---|:--- -[Update general settings](data-retention-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process. +General settings | Modify your general settings that were previously defined as part of the onboarding process. Permissions | Manage portal access using RBAC as well as machine groups. APIs | Enable the threat intel and SIEM integration. Rules | Configure suppressions rules and automation settings. diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index 244a09bc78..a295925903 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -15,11 +15,6 @@ ms.date: 04/24/2018 # Turn on the preview experience in Windows Defender ATP **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 8675655043..3eab3eda81 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -10,17 +10,12 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 09/03/2018 --- # Windows Defender ATP preview features **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -42,6 +37,29 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: + +- [Threat analytics](threat-analytics.md)
+Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + +- [Custom detection](overview-custom-detections.md)
+ With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + + +- [Managed security service provider (MSSP) support](mssp-support-windows-defender-advanced-threat-protection.md)
+Windows Defender ATP adds support for this scenario by providing MSSP integration. +The integration will allow MSSPs to take the following actions: +Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools. + +- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + +- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
+Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. + + +- [Onboard Windows Server 2019](configure-server-endpoints-windows-defender-advanced-threat-protection.md#windows-server-version-1803-and-windows-server-2019)
+Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. + - [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor - Windows 7 SP1 Enterprise @@ -49,11 +67,6 @@ Onboard supported versions of Windows machines so that they can send sensor data - Windows 8.1 Enterprise - Windows 8.1 Pro -- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
-Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. - - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index aab70fb694..58f784e646 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # Pull Windows Defender ATP alerts using REST API **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index ec4e631bbb..f84794a823 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index 6c6e1ced73..20e2299d14 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -15,17 +15,10 @@ ms.date: 05/08/2018 # Manage portal access using role-based access control **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Azure Active Directory - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink) @@ -45,9 +38,9 @@ Windows Defender ATP RBAC is designed to support your tier- or role-based model - Create custom roles and control what Windows Defender ATP capabilities they can access with granularity. - **Control who can see information on specific machine group or groups** - - [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure AD user group. + - [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group. -To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure Active Directory (Azure AD) user groups assigned to the roles. +To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles. ### Before you begin @@ -70,48 +63,7 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a > > After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. -## Create roles and assign the role to a group -1. In the navigation pane, select **Settings > Role based access control > Roles**. - -2. Click **Add role**. - -3. Enter the role name, description, and permissions you’d like to assign to the role. - - - **Role name** - - - **Description** - - - **Permissions** - - **View data** - Users can view information in the portal. - - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions. - - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads. - - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. - -4. Click **Next** to assign the role to an Azure AD group. - -5. Use the filter to select the Azure AD group that you’d like to add to this role. - -6. Click **Save and close**. - -7. Apply the configuration settings. - -## Edit roles - -1. Select the role you'd like to edit. - -2. Click **Edit**. - -3. Modify the details or the groups that are assigned to the role. - -4. Click **Save and close**. - -## Delete roles - -1. Select the role you'd like to delete. - -2. Click the drop-down button and select **Delete role**. ## Related topic - [Create and manage machine groups in Windows Defender ATP](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index c2dc292025..148d0a9793 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # Take response actions on a file **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index c43c430a57..064fb37360 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 12/12/2017 # Take response actions on a machine **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 8858ac7366..5feacd51aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 11/12/2017 # Take response actions in Windows Defender ATP **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md index b7b33d60ef..985a82d123 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -16,7 +16,6 @@ ms.date: 12/08/2017 # Restrict app execution API **Applies to:** - - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md index c6803604a8..9132144898 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -16,7 +16,6 @@ ms.date: 12/08/2017 # Run antivirus scan API **Applies to:** - - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index 87fe1b0b5c..44f78723aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -16,11 +16,11 @@ ms.date: 11/06/2017 # Run a detection test on a newly onboarded Windows Defender ATP machine **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education +- Supported Windows 10 versions +- Windows Server 2012 R2 +- Windows Server 2016 +- Windows Server, version 1803 +- Windows Server, 2019 - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index 47815df570..48a0fcb12c 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: View the Secure Score dashboard in Windows Defender ATP -description: Use the Secure Score dashboard to assess and improve the security state of your organization by analyzing various security control tiles. +title: Configure the security controls in Secure score +description: Configure the security controls in Secure score keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -12,80 +12,10 @@ ms.localizationpriority: medium ms.date: 04/24/2018 --- -# View the Windows Defender Advanced Threat Protection Secure score dashboard - +# Configure the security controls in Secure score **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink) - - -The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. - ->[!IMPORTANT] -> This feature is available for machines on Windows 10, version 1703 or later. - - -The **Secure score dashboard** displays a snapshot of: -- Microsoft Secure score -- Windows Defender security controls -- Improvement opportunities -- Security score over time - -![Secure score dashboard](images/ss1.png) - -## Microsoft secure score -The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. - -![Image of Microsoft secure score tile](images/mss.png) - -Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). - -The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). - -In the example image, the total points for the Windows security controls and Office 365 add up to 718 points. - -You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md). - -## Windows Defender security controls -The security controls tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention. - - -![Windows Defender security controls](images/wdsc.png) - -## Improvement opportunities -Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control. - -Click on each control to see the recommended optimizations. - -![Improvement opportunities](images/io.png) - -The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile. - ->[!IMPORTANT] ->Recommendations that do not display a green triangle icon are informational only and no action is required. - -Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. - -The following image shows an example list of machines where the EDR sensor is not turned on. - -![Image of view machines list with a filter applied](images/atp-security-analytics-view-machines2.png) - -## Security score over time -You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. - -![Image of the security score over time tile](images/ssot.png) - -You can click on specific date points to see the total score for that security control is on a particular date. - -## Improve your secure score by applying improvement recommendations Each security control lists recommendations that you can take to increase the security posture of your organization. ### Endpoint detection and response (EDR) optimization @@ -342,10 +272,7 @@ For more information, see [Manage Windows Defender Credential Guard](https://doc >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) ## Related topics -- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) -- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) -- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) -- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [Overview of Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index 8e9f3634dc..0fdb2ab3d7 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Advanced Threat Protection Security operations dashboard -description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. +title: Windows Defender Security Center Security operations dashboard +description: Use the dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -10,37 +10,32 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 09/04/2018 --- -# View the Windows Defender Advanced Threat Protection Security operations dashboard +# Windows Defender Security Center Security operations dashboard **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) -The **Security operations dashboard** displays a snapshot of: +The **Security operations dashboard** is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. -- The latest active alerts on your network +The dashboard displays a snapshot of: + +- Active alerts - Machines at risk -- Machines with active malware alerts +- Sensor health +- Service health - Daily machines reporting - Active automated investigations - Automated investigations statistics - Users at risk - Suspicious activities -- Sensor health -- Service health -![Image of Security operations dashboard](images/atp-sec-ops-1.png) + +![Image of Security operations dashboard](images/atp-sec-ops-dashboard.png) You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. @@ -49,51 +44,45 @@ From the **Security operations dashboard** you will see aggregated events to fac It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview. ## Active alerts -You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**. +You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are grouped into **New** and **In progress**. -![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp-alerts-tile.png) +![Click on each slice or severity to see a list of alerts from the past 30 days](images/active-alerts-tile.png) Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). For more information see, [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). -The **Latest active alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). +Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). ## Machines at risk This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). -![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/atp-machines-at-risk.png) +![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk-tile.png) Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). -## Machines with active malware detections -The **Machines with active malware detections** tile will only appear if your machines are using Windows Defender Antivirus. +## Sensor health +The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines. -Active malware is defined as threats that were actively executing at the time of detection. +![Sensor health tile](images/atp-tile-sensor-health.png) -Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of machines with at least one active detection (as **Machines**) over the past 30 days. +There are two status indicators that provide information on the number of machines that are not reporting properly to the service: +- **Misconfigured** – These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. +- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. -![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/atp-machines-active-threats-tile.png) -The chart is sorted into five categories: +When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). -- **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access. -- **Credential theft** - threats that attempt to steal credentials. -- **Exploit** - threats that use software vulnerabilities to infect machines. -- **Backdoor** - threats that gives a malicious hacker access to and control of machines. -- **General** - threats that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. -- **PUA** - applications that install and perform undesirable activity without adequate user consent. +## Service health +The **Service health** tile informs you if the service is active or if there are issues. -Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk. +![The Service health tile shows an overall indicator of the service](images/status-tile.png) -Clicking on any of these categories will navigate to the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. - -> [!NOTE] -> The **Machines with active malware detections** tile will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md). ## Daily machines reporting @@ -104,13 +93,13 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb ## Active automated investigations -You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Waiting for machine**, **Running**, and **Pending approval**. +You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for machine**, and **Running**. ![Inmage of active automated investigations](images/atp-active-investigations-tile.png) ## Automated investigations statistics -This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigaiton to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation. +This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation. ![Image of automated investigations statistics](images/atp-automated-investigations-statistics.png) @@ -129,26 +118,6 @@ This tile shows audit events based on detections from various security component ![Suspicous activities tile](images/atp-suspicious-activities-tile.png) -## Sensor health -The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines. - -![Sensor health tile](images/atp-tile-sensor-health.png) - -There are two status indicators that provide information on the number of machines that are not reporting properly to the service: -- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. -- **Misconfigured** – These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. - -When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). - -## Service health -The **Service health** tile informs you if the service is active or if there are issues. - -![The Service health tile shows an overall indicator of the service](images/status-tile.png) - -For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md). - - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 656e809d15..20028f9555 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # Check the Windows Defender Advanced Threat Protection service health **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md index 9540e46529..2e4f1e0fd1 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -16,7 +16,6 @@ ms.date: 12/08/2017 # Stop and quarantine file API **Applies to:** - - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md index b8bc903b76..a6c64df7ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -10,17 +10,12 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 09/03/2018 --- # Supported Windows Defender ATP query APIs **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -40,5 +35,3 @@ IP | Run API calls such as get IP related alerts, IP related machines, IP statis Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. -## Related topic -- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md index 2d05ed0158..2ee0df491f 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md @@ -16,7 +16,6 @@ ms.date: 12/01/2017 # Supported Windows Defender ATP query APIs **Applies to:** - - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md index 9b235fa9b0..affe0ea030 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Advanced Threat Protection Threat analytics +title: Threat analytics for Spectre and Meltdown description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh @@ -10,20 +10,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 03/06/2018 +ms.date: 09/03/2018 --- # Threat analytics for Spectre and Meltdown - **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +The **Threat analytics** dashboard provides insight on how emerging threats affect your organization. It provides information that's specific for your organization. [Spectre and Meltdown](https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/) is a new class of exploits that take advantage of critical vulnerabilities in the CPU processors, allowing attackers running user-level, non-admin code to steal data from kernel memory. These exploits can potentially allow arbitrary non-admin code running on a host machine to harvest sensitive data belonging to other apps or system processes, including apps on guest VMs. @@ -51,9 +45,8 @@ To access Threat analytics, from the navigation pane select **Dashboards** > **T Click a section of each chart to get a list of the machines in the corresponding mitigation status. ## Related topics -- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) -- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) -- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) -- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) +- [Threat analtyics](threat-analytics-windows-defender-advanced-threat-protection.md) +- [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md) +- [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md new file mode 100644 index 0000000000..cb47452b3c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md @@ -0,0 +1,65 @@ +--- +title: Windows Defender Advanced Threat Protection Threat analytics +description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. +keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Threat analytics +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. + +Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + + +>[!NOTE] +>The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days. + +Each threat report provides a summary to describe details such as where the threat is coming from, where it's been seen, or techniques and tools that were used by the threat. + +The dashboard shows the impact in your organization through the following tiles: +- Machines with alerts - shows the current distinct number of impacted machines in your organization +- Machines with alerts over time - shows the distinct number of impacted over time +- Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have each of the mitigations in place +- Mitigation status - shows the number of mitigated and unmitigated machines. Machines are considered mitigated if they have all the measurable mitigations in place. +- Mitigation status over time - shows the distinct number of machines that have been mitigated, unmitigated, and unavailable over time + +![Image of a threat analytics report](images/ta.png) + +## Organizational impact +You can assess the organizational impact of a threat using the **Machines with alerts** and **Machines with alerts over time** tiles. + +A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine are resolved. + + +The **Machine with alerts over time**, shows the number of distinct machines with **Active** and **Resolved alerts over time**. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days. +## Organizational resilience +The **Mitigation recommendations** section provides specific actionable recommendations to improve your visibility into this threat and increase your organizational resilience. + +The **Mitigation status** and **Mitigation status over time** shows the endpoint configuration status assessed based on the recommended mitigations. + +>[!IMPORTANT] +>- The chart only reflects mitigations that are measurable and where an evaluation can be made on the machine state as being compliant or non-compliant. There can be additional mitigations or compliance actions that currently cannot be computed or measured that are not reflected in the charts and are covered in the threat description under **Mitigation recommendations** section. +>- Even if all mitigations were measurable, there is no absolute guarantee of complete resilience but reflects the best possible actions that need to be taken to improve resiliency. + + + +>[!NOTE] +>The Unavailable category indicates that there is no data available from the specific machine yet. + + +## Related topics +- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index dc1b0cb21e..c189fa2336 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -10,17 +10,12 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 09/03/2018 --- # Understand threat intelligence concepts **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md new file mode 100644 index 0000000000..b491a5a109 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md @@ -0,0 +1,44 @@ +--- +title: Microsoft threat protection +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/12/2018 +--- + +# Microsoft threat protection + +Microsoft's multiple layers of threat protection across data, applications, devices, and identities can help protect your organization from advanced cyber threats. + +Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between these layers results in better protected customers. + +## Conditional access +Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. + +## Office 365 Advanced Threat Protection (Office 365 ATP) +The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. + +## Azure Advanced Threat Protection (Azure ATP) + Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. + +## Skype for Business +The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. + +## Azure Security Center +Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. + +## Microsoft Cloud App Security +Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. + +## Related topic +- [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) + + + diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index e9cb11bc67..505296a18a 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 02/13/2018 # Windows Defender Security Center time zone settings **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index be766d8d46..d86deb3f28 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 06/25/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index eee538a7aa..3310063e5a 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -17,10 +17,7 @@ ms.date: 08/01/2018 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education + - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index f9e7872493..e15d044a19 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Server 2012 R2 - Windows Server 2016 @@ -308,5 +303,6 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ## Related topics - [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) - [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index 9a63f9dc8b..c90bb67da7 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 02/13/2018 # Troubleshoot SIEM tool integration issues **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md new file mode 100644 index 0000000000..12f36df3a9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md @@ -0,0 +1,27 @@ +--- +title: Troubleshoot Windows Defender Advanced Threat Protection capabilities +description: Find solutions to issues on sensor state, service issues, or other Windows Defender ATP capabilities +keywords: troubleshoot, sensor, state, service, issues, attack surface reduction, next generation protection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Troubleshoot Windows Defender Advanced Threat Protection + +Troubleshoot issues that might arise as you use Windows Defender ATP capabilities. + +## In this section +Topic | Description +:---|:--- +Troubleshoot sensor state | Find solutions for issues related to the Windows Defender ATP sensor +Troubleshoot service issues | Fix issues related to the Windows Defender Advanced Threat service +Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules +Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution + diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index c6e68b56e5..fc9f502186 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot Windows Defender Advanced Threat Protection service issues +title: Troubleshoot Windows Defender Advanced Threat Protection service issues description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh @@ -15,11 +15,6 @@ ms.date: 07/30/2018 # Troubleshoot service issues -**Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. ## Server error - Access is denied due to invalid credentials @@ -72,14 +67,6 @@ When you use Azure Security Center to monitor servers, a Windows Defender ATP te - - - - - - - - ## Related topics - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index b8fed131a5..c45ead9ecd 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -16,11 +16,6 @@ ms.date: 04/24/2018 # Use the threat intelligence API to create custom alerts **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index 07cec03da7..42e5a71b83 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Use the Windows Defender Advanced Threat Protection portal +title: Overview of Windows Defender Security Center description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh @@ -13,21 +13,11 @@ ms.localizationpriority: medium ms.date: 03/12/2018 --- -# Use the Windows Defender Advanced Threat Protection portal - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - +# Overview of Windows Defender Security Center >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) -You can use Windows Defender Security Center to carry out an end-to-end security breach investigation through the dashboards. +Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..122fd23da5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -0,0 +1,75 @@ +--- +title: Create and manage roles for role-based access control +description: Create roles and define the permissions assigned to the role as part of the role-based access control implimentation +keywords: user roles, roles, access rbac +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Create and manage roles for role-based access control +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink) + +## Create roles and assign the role to an Azure Active Directory group +The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups. + +1. In the navigation pane, select **Settings > Role based access control > Roles**. + +2. Click **Add role**. + +3. Enter the role name, description, and permissions you'd like to assign to the role. + + - **Role name** + + - **Description** + + - **Permissions** + - **View data** - Users can view information in the portal. + - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions. + - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads. + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + +4. Click **Next** to assign the role to an Azure AD group. + +5. Use the filter to select the Azure AD group that you'd like to add to this role. + +6. Click **Save and close**. + +7. Apply the configuration settings. + + +After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. + + +## Edit roles + +1. Select the role you'd like to edit. + +2. Click **Edit**. + +3. Modify the details or the groups that are assigned to the role. + +4. Click **Save and close**. + +## Delete roles + +1. Select the role you'd like to delete. + +2. Click the drop-down button and select **Delete role**. + + +##Related topic +- [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) +- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index 07eee21200..a67e865ccb 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -9,17 +9,12 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 07/12/2018 +ms.localizationpriority: medium +ms.date: 09/03/2018 --- # Windows Defender Advanced Threat Protection -**Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink) > >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). @@ -34,13 +29,10 @@ The Windows Defender ATP platform is where all the capabilities that are availab Topic | Description :---|:--- -[Windows Defender Security Center](windows-defender-security-center-atp.md) | Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. -[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. -[Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) | Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. -[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). -[Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Windows Defender Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. - - +[Overview](overview.md) | Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. +[Get started](get-started.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Windows Defender ATP. +[Cconfigure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Windows Defender ATP. +[Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) | Learn how to address issues that you might encounter while using the platform. ## Related topic [Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md index 244a14ea0d..ea7e9fd67b 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md @@ -9,16 +9,12 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 07/01/2018 --- # Windows Defender Security Center -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. ## In this section diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 9f78476437..8e21f4933d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,87 +11,43 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/30/2018 +ms.date: 08/08/2018 --- -# Reduce attack surfaces with Windows Defender Exploit Guard +# Reduce attack surfaces with Windows Defender Exploit Guard **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 -- Microsoft Office 365 -- Microsoft Office 2016 -- Microsoft Office 2013 -- Microsoft Office 2010 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). - - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Group Policy -- PowerShell -- Configuration service providers for mobile device management - - -Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. - -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). - ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. - -Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). - -The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: +Attack surface reduction has a number of [rules](#attack-surface-reduction-rules), each of which targets specific behaviors that are typically used by malware and malicious apps to infect machines, such as: - Executable files and scripts used in Office apps or web mail that attempt to download or run files - Scripts that are obfuscated or otherwise suspicious - Behaviors that apps undertake that are not usually initiated during normal day-to-day work -See the [Attack surface reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule. - When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled. ## Requirements -Attack surface reduction requires Windows 10 Enterprise E5 and Windows Defender AV real-time protection. - -Windows 10 version | Windows Defender Antivirus -- | - -Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled +Attack surface reduction requires Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). ## Attack surface reduction rules -Windows 10, version 1803 has five new Attack surface reduction rules: - -- Block executable files from running unless they meet a prevalence, age, or trusted list criteria -- Use advanced protection against ransomware -- Block credential stealing from the Windows local security authority subsystem (lsass.exe) -- Block process creations originating from PSExec and WMI commands -- Block untrusted and unsigned processes that run from USB - -In addition, the following rule is available for beta testing: - -- Block Office communication applications from creating child processes - The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: Rule name | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D @@ -102,12 +58,11 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. +The rules apply to the following Office apps: -Supported Office apps: - Microsoft Word - Microsoft Excel - Microsoft PowerPoint @@ -127,7 +82,7 @@ This rule blocks the following file types from being run or launched from an ema >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). -### Rule: Block Office applications from creating child processes +### Rule: Block all Office applications from creating child processes Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. @@ -215,7 +170,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block Office communication applications from creating child processes (available for beta testing) +### Rule: Block only Office communication applications from creating child processes (available for beta testing) Office communication apps will not be allowed to create child processes. This includes Outlook. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 989c432d1b..5e7831035b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -1,6 +1,6 @@ --- -title: Test how Windows Defender EG features work -description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled +title: Test how Windows Defender ATP features work +description: Audit mode lets you use the event log to see how Windows Defender ATP would protect your devices if it were enabled keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,35 +11,32 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# Use audit mode to evaluate Windows Defender Exploit Guard features +# Use audit mode **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators -You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. -You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. +You can enable attack surface reduction, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. + +You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. -You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode. +You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. @@ -76,10 +73,10 @@ You can also use the a custom PowerShell script that enables the features in aud ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) -- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) -- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) -- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) +- [Reduce attack surfaces with](attack-surface-reduction-exploit-guard.md) +- [Protect your network](network-protection-exploit-guard.md) +- [Protect important folders](controlled-folders-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 21cec1e41c..72daf4a2bc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -1,5 +1,5 @@ --- -title: Submit cab files related to Windows Defender EG problems +title: Submit cab files related to problems description: Use the command-line tool to obtain .cab file that can be used to investigate ASR rule issues. keywords: troubleshoot, error, fix, asr, windows defender eg, exploit guard, attack surface reduction search.product: eADQiWindows 10XVcnh @@ -11,17 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# Collect diagnostic data for Windows Defender Exploit Guard file submissions +# Collect diagnostic data for file submissions **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + -**Audience** - IT administrators @@ -64,7 +63,7 @@ Before attempting this process, ensure you have met all required pre-requisites ## Related topics -- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) -- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) -- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Troubleshoot ASR rules](troubleshoot-asr.md) +- [Troubleshoot Network protection](troubleshoot-np.md) + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 852398e010..a5c31c8baf 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -1,6 +1,6 @@ --- title: Help prevent ransomware and threats from encrypting and changing files -description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files. +description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files. keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,59 +11,36 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# Protect important folders with Controlled folder access +# Protect important folders with controlled folder access **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app -- Group Policy -- PowerShell -- Configuration service providers for mobile device management +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. - -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). - ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. - -Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. -This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. +This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. -As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled. - +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Requirements -Windows 10 version | Windows Defender Antivirus --|- -Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled +Controlled folder access requires enabling [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). ## Review Controlled folder access events in Windows Event Viewer @@ -74,9 +51,9 @@ You can review the Windows event log to see events that are created when Control 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. -3. On the left panel, under **Actions**, click **Import custom view...** +3. On the left panel, under **Actions**, click **Import custom view...**. - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) + ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index d3fdfd801d..fcba05fbf6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,31 +11,17 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/30/2018 +ms.date: 08/08/2018 --- -# Customize Attack surface reduction +# Customize attack surface reduction **Applies to:** -- Windows 10 Enterprise edition, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app -- Group Policy -- PowerShell -- Configuration service providers for mobile device management - - -Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. @@ -54,7 +40,7 @@ This could potentially allow unsafe files to run and infect your devices. You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. -Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. @@ -64,7 +50,7 @@ Exclusions will only be applied to certain rules. Some rules will not honor the Rule description | Rule honors exclusions | GUID -|:-:|- -Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 @@ -76,7 +62,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block only Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c @@ -110,7 +96,7 @@ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add ### Use MDM CSPs to exclude files and folders -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. @@ -122,7 +108,7 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w ## Related topics -- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) - [Enable Attack surface reduction](enable-attack-surface-reduction.md) - [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 1c626d7c8f..aebfd7efca 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -1,5 +1,5 @@ --- -title: Add additional folders and apps to be protected by Windows 10 +title: Add additional folders and apps to be protected description: Add additional folders that should be protected by Controlled folder access, or whitelist apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable search.product: eADQiWindows 10XVcnh @@ -11,34 +11,20 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# Customize Controlled folder access +# Customize controlled folder access **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app -- Group Policy -- PowerShell -- Configuration service providers for mobile device management - - -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): @@ -59,7 +45,7 @@ You can add additional folders to be protected, but you cannot remove the defaul Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. -You can also enter network shares and mapped drives. Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders. @@ -70,26 +56,22 @@ You can use the Windows Defender Security Center app or Group Policy to add and 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**: -3. Under the **Controlled folder access** section, click **Protected folders** +3. Under the **Controlled folder access** section, click **Protected folders** 4. Click **Add a protected folder** and follow the prompts to add apps. - ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png) + ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png) ### Use Group Policy to protect additional folders 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. - -6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder. - -> [!NOTE] -> Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. +6. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder. ### Use PowerShell to protect additional folders @@ -112,7 +94,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to ad ### Use MDM CSPs to protect additional folders -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. @@ -147,7 +129,7 @@ When you add an app, you have to specify the app's location. Only the app in tha 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. 6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app. @@ -162,7 +144,7 @@ When you add an app, you have to specify the app's location. Only the app in tha Add-MpPreference -ControlledFolderAccessAllowedApplications "" ``` - For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows: + For example, to add the executable *test.exe* located in the folder *C:\apps*, the cmdlet would be as follows: ```PowerShell Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe" @@ -181,7 +163,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to ### Use MDM CSPs to allow specific apps -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Customize the notification @@ -190,4 +172,4 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w ## Related topics - [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) - [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) \ No newline at end of file +- [Evaluate attack surface reduction](evaluate-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index d26e9872e6..59513ac8ec 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -11,33 +11,30 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- # Customize Exploit protection **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + + + + -**Audience** - -- Enterprise security administrators -**Manageability available with** -- Windows Defender Security Center app -- Group Policy -- PowerShell Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. - It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. @@ -46,7 +43,7 @@ You configure these settings using the Windows Defender Security Center on an in It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md). >[!WARNING] ->Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. +>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network. ## Exploit protection mitigations @@ -299,7 +296,7 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) - [Evaluate Exploit protection](evaluate-exploit-protection.md) - [Enable Exploit protection](enable-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index bb57a23872..f37c7b6665 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 08/08/2018 --- @@ -21,35 +21,25 @@ ms.date: 04/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Enhanced Mitigation Experience Toolkit version 5.5 (latest version) - - - -**Audience** - -- Enterprise security administrators +- Windows Defender Advanced Threat Protection (Windows Defender ATP) >[!IMPORTANT] ->If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP. > >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and its replacement in Windows 10: Windows Defender Exploit Guard. - - In Windows 10, version 1709 (also known as the Fall Creators Update) we released [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP. - Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. +Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. - EMET is a stand-alone product that is available on earlier versions of Windows and provides some mitigation against older, known exploit techniques. +EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. - After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it. +After July 31, 2018, it will not be supported. - For more information about the individual features and mitigations available in Windows Defender Exploit Guard, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: +For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: -- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 59f434e325..4f7e747a4b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/30/2018 +ms.date: 08/08/2018 --- @@ -20,23 +20,22 @@ ms.date: 07/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators -**Manageability available with** - -- Group Policy -- PowerShell -- Configuration service providers for mobile device management -Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. + + + + + + + + +Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. @@ -53,7 +52,7 @@ You can manually add the rules by using the GUIDs in the following table: Rule description | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D @@ -64,7 +63,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. @@ -76,7 +75,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. 6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: @@ -134,6 +133,6 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https ## Related topics -- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) - [Customize Attack surface reduction](customize-attack-surface-reduction.md) - [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 67697f589e..62f8359359 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,31 +11,17 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# Enable Controlled folder access +# Enable controlled folder access **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app -- Group Policy -- PowerShell -- Configuration service providers for mobile device management +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). @@ -43,11 +29,10 @@ Controlled folder access helps you protect valuable data from malicious apps and This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). -## Enable and audit Controlled folder access +## Enable and audit controlled folder access -You can enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. +You can enable controlled folder access with the Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). >[!NOTE] >The Controlled folder access feature will display the state in the Windows Defender Security Center app under **Virus & threat protection settings**. @@ -58,7 +43,7 @@ For further details on how audit mode works, and when you might want to use it, >Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include: >- Windows Defender Antivirus **Configure local administrator merge behavior for lists** >- System Center Endpoint Protection **Allow users to add exclusions and overrides** ->For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). +>For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). ### Use the Windows Defender Security app to enable Controlled folder access @@ -102,11 +87,11 @@ Use `Disabled` to turn the feature off. ### Use MDM CSPs to enable Controlled folder access -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Related topics - [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) - [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) +- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 584b3b2e8a..c9c10f4b93 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,57 +11,36 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# Enable Exploit protection +# Enable exploit protection **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app -- Group Policy -- PowerShell - - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection. +Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +## Enable and audit exploit protection +You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. +The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. -## Enable and audit Exploit protection - -You enable and configure each Exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. - -The mitigations available in Exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. - -You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. - -For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +You can also set mitigations to [audit mode](audit-windows-defender-exploit-guard.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. >[!WARNING] ->Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. +>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying in production. -You can also convert an existing EMET configuration file (in XML format) and import it into Exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using. +You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using. -See the following topics for instructions on configuring Exploit protection mitigations and importing, exporting, and converting configurations: +See the following topics for instructions on configuring exploit protection mitigations and importing, exporting, and converting configurations: 1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md) 2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md). @@ -69,11 +48,10 @@ See the following topics for instructions on configuring Exploit protection miti ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate Exploit protection](evaluate-exploit-protection.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 2d33ef5980..93d25b4d0b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -20,23 +20,22 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators -**Manageability available with** - -- Group Policy -- PowerShell -- Configuration service providers for mobile device management -Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. + + + + + + + + +Network protection is a feature that helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). @@ -55,9 +54,9 @@ For background information on how audit mode works, and when you might want to u 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection**. +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. -6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following: +6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following: - **Block** - Users will not be able to access malicious IP addresses and domains - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. @@ -89,10 +88,10 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. ### Use MDM CSPs to enable or audit Network protection -Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection. +Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection. ## Related topics -- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) +- [Protect your network](network-protection-exploit-guard.md) - [Evaluate Network protection](evaluate-network-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 24a17e6b60..cb3e681ae8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -6,15 +6,14 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: justinha author: brianlic-msft -ms.date: 04/19/2018 +ms.date: 08/08/2018 --- # Enable virtualization-based protection of code integrity **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. @@ -61,7 +60,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s > - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. -#### For Windows 1607 and above +#### For Windows 10 version 1607 and later Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): @@ -115,7 +114,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE > To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**. -#### For Windows 1511 and below +#### For Windows 10 version 1511 and earlier Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): @@ -182,8 +181,6 @@ This field helps to enumerate and report state on the relevant security properti | **5.** | If present, NX protections are available. | | **6.** | If present, SMM mitigations are available. | -> [!NOTE] -> 4, 5, and 6 were added as of Windows 10, version 1607. #### InstanceIdentifier @@ -203,9 +200,6 @@ This field describes the required security properties to enable virtualization-b | **5.** | If present, NX protections are needed. | | **6.** | If present, SMM mitigations are needed. | -> [!NOTE] -> 4, 5, and 6 were added as of Windows 10, version 1607. - #### SecurityServicesConfigured This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 3785af890d..d641593a68 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -19,25 +19,24 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app -- Group Policy -- PowerShell +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). + + + + + + + + + + + + +Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. @@ -179,14 +178,14 @@ Malware and other threats can attempt to obfuscate or hide their malicious code - Random - A scenario will be randomly chosen from this list - AntiMalwareScanInterface - - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script + - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script - OnAccess - Potentially obfuscated scripts will be blocked when an attempt is made to access them ## Review Attack surface reduction events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). +You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 56695c3814..db37592aa5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -19,24 +19,22 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** - -- Enterprise security administrators -**Manageability available with** -- Windows Defender Security Center app -- Group Policy -- PowerShell -Controlled folder access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). -It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. + + + + + +[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. + +It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. @@ -54,7 +52,7 @@ Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder acce The tool is part of the Windows Defender Exploit Guard evaluation package: - [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) -This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. +This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. @@ -83,7 +81,7 @@ You can enable Controlled folder access, run the tool, and see what the experien ## Review Controlled folder access events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). +You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. @@ -133,5 +131,5 @@ See the main [Protect important folders with Controlled folder access](controlle ## Related topics - [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) -- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) \ No newline at end of file +- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) +- [Use audit mode](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 499c186d35..d4d3705b4a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -1,6 +1,6 @@ --- -title: See how Exploit protection works in a demo -description: See how Exploit protection can prevent suspicious behaviors from occurring on specific apps. +title: See how exploit protection works in a demo +description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps. keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,40 +16,27 @@ ms.date: 05/30/2018 -# Evaluate Exploit protection +# Evaluate exploit protection **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app -- Group Policy -- PowerShell +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in exploit protection. -This topcs helps you evaluate Exploit protection. See the [Exploit protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit protection does and how to configure it for real-world deployment. +This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md) . >[!NOTE] >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit protection topic](exploit-protection-exploit-guard.md) . +>For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md). >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Enable and validate an Exploit protection mitigation +## Enable and validate an exploit protection mitigation For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app. @@ -63,11 +50,11 @@ First, enable the mitigation using PowerShell, and then confirm that it has been Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation ``` -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. -3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. +3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. 4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**. @@ -81,20 +68,20 @@ Now that you know the mitigation has been enabled, you can test to see if it wor Lastly, we can disable the mitigation so that Internet Explorer works properly again: -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. -3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. +3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. 4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply** 5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected. -## Review Exploit protection events in Windows Event Viewer +## Review exploit protection events in Windows Event Viewer -You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). +You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. @@ -106,7 +93,7 @@ You can now review the events that Exploit protection sent to the Windows Event 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Exploit protection, which are all listed in the [Exploit protection](exploit-protection-exploit-guard.md) topic. +5. This will create a custom view that filters to only show the events related to exploit protection. 6. The specific event to look for in this demo is event ID 4, which should have the following or similar information: @@ -115,21 +102,24 @@ You can now review the events that Exploit protection sent to the Windows Event ## Use audit mode to measure impact -As with other Windows Defender EG features, you can enable Exploit protection in audit mode. You can enable audit mode for individual mitigations. +You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations. This lets you see a record of what *would* have happened if you had enabled the mitigation. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period. -See the [**PowerShell reference** section in the Customize Exploit protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. +See the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Enable Exploit protection](enable-exploit-protection.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Enable network protection](enable-network-protection.md) +- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) +- [Enable attack surface reduction](enable-attack-surface-reduction.md) + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 1f004b79b7..dc6546e9a9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- # Evaluate Network protection @@ -20,19 +20,18 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10 Enterprise edition, version 1709 or later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + + + + -**Audience** - -- Enterprise security administrators -**Manageability available with** -- Group Policy -- PowerShell @@ -72,7 +71,7 @@ You will get a 403 Forbidden response in the browser, and you will see a notific ## Review Network protection events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). +You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index 958158f7f6..e7852096d0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -25,9 +25,9 @@ ms.date: 05/30/2018 - Windows Server 2016 -**Audience** -- Enterprise security administrators + + Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index f070b8407e..ceb60ddeb8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -1,5 +1,5 @@ --- -title: Import custom views to see Windows Defender Exploit Guard events +title: Import custom views to see attack surface reduction events description: Use Windows Event Viewer to import individual views for each of the features. keywords: event view, exploit guard, audit, review, events search.product: eADQiWindows 10XVcnh @@ -12,38 +12,37 @@ ms.date: 04/16/2018 ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# View Windows Defender Exploit Guard events +# View attack surface reduction events **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Audience** -- Enterprise security administrators -Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windows Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. + + +You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled. This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Defender Security Center, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). -## Use custom views to review Windows Defender Exploit Guard features +## Use custom views to review attack surface reduction capabilities -You can create custom views in the Windows Event Viewer to only see events for specific features and settings. +You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page. -You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details. +You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. ### Import an existing XML custom view @@ -143,10 +142,10 @@ You can also manually navigate to the event area that corresponds to the Windows -## List of all Windows Defender Exploit Guard events +## List of attack surface reduction events -All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. +All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. You can access these events in Windows Event viewer: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 64d6627554..3fa5e1d678 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -11,32 +11,17 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- -# Protect devices from exploits with Windows Defender Exploit Guard +# Protect devices from exploits with with Windows Defender Exploit Guard **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Windows Defender Security Center app -- Group Policy -- PowerShell - - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. @@ -115,13 +100,109 @@ Security-Mitigations | 24 | ROP SimExec enforce WER-Diagnostics | 5 | CFG Block Win32K | 260 | Untrusted Font +## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard + +>[!IMPORTANT] +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP. +> +>You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. + +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP. + +Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. + +EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. + +After July 31, 2018, it will not be supported. + +For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: + +- [Protect devices from exploits](exploit-protection-exploit-guard.md) +- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) + + + + + ## Feature comparison + + The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard. + +  | Windows Defender Exploit Guard | EMET + -|:-:|:-: +Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)]
All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)]
Windows 8.1; Windows 8; Windows 7
Cannot be installed on Windows 10, version 1709 and later +Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md)
(no additional installation required)
Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device +User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training +Supportability | [!include[Check mark yes](images/svg/check-yes.svg)]
[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
[Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
Ends after July 31, 2018 +Updates | [!include[Check mark yes](images/svg/check-yes.svg)]
Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]
No planned updates or development +Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)]
All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))
[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited set of mitigations +Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)
[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited ruleset configuration only for modules (no processes) +Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available +Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps protect important folders](controlled-folders-exploit-guard.md)
[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available +Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires installation and use of EMET tool +Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]
Available +Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) +System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available +Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations + + + +([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). + +([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus. + + + +## Mitigation comparison + +The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md). + +The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection. + +Mitigation | Available in Windows Defender Exploit Guard | Available in EMET +-|:-:|:-: +Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Memory Protection Check" +Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Load Library Check" +Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)] +Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)] +Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)] +Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] + + + + + + +>[!NOTE] +>The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process. +> +>See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. + + +## Related topics + +- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Evaluate Exploit protection](evaluate-exploit-protection.md) +- [Enable Exploit protection](enable-exploit-protection.md) +- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) - ## In this section -Topic | Description ----|--- -[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit protection. This topic identifies those features and explains how the features have changed or evolved. -[Evaluate Exploit protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit protection mitigations can protect your network from malicious and suspicious behavior. -[Enable Exploit protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit protection in your network. -[Customize and configure Exploit protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps. -[Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit protection. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 77b9114470..2da48a5d94 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -21,20 +21,21 @@ ms.date: 04/30/2018 **Applies to:** -- Windows 10, version 1709 and later + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + + + + + -**Audience** - -- Enterprise security administrators -**Manageability available with** -- Windows Defender Security Center app -- Group Policy -- PowerShell @@ -166,7 +167,7 @@ You can use Group Policy to deploy the configuration you've created to multiple 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**. +5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**. ![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png) @@ -182,7 +183,7 @@ You can use Group Policy to deploy the configuration you've created to multiple ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) - [Evaluate Exploit protection](evaluate-exploit-protection.md) - [Enable Exploit protection](enable-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index 7ac4ae1438..a24d063a73 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: iaanw ms.author: iawilt -ms.date: 02/20/2018 +ms.date: 08/09/2018 --- @@ -21,8 +21,9 @@ ms.date: 02/20/2018 **Applies to:** -- Windows 10, version 1709 -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. + + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index df6a6b9037..65be3c2ceb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- @@ -20,23 +20,9 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 or higher -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -**Audience** - -- Enterprise security administrators - - -**Manageability available with** - -- Group Policy -- PowerShell -- Configuration service providers for mobile device management - - -Supported in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). @@ -46,14 +32,12 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). When Network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled. - - ## Requirements Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/TOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/TOC.md rename to windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 92617d3613..42665e23e2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -12,8 +12,8 @@ ms.date: 10/20/2017 # Requirements and deployment planning guidelines for virtualization-based protection of code integrity **Applies to** -- Windows 10 -- Windows Server 2016 + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in Windows Defender Device Guard. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 412c817281..a2e9bc9fb3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -18,10 +18,9 @@ ms.date: 05/17/2018 **Applies to:** -- Windows 10, version 1709 or higher -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + -**Audience** - IT administrators diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 8410be06b9..28b500c5c9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- @@ -21,19 +21,18 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + + + + -**Audience** - -- Enterprise security administrators -**Manageability available with** -- Windows Defender Security Center app -- PowerShell When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. @@ -205,7 +204,7 @@ You can manually remove unwanted mitigations in Windows Defender Security Center ``` -If you haven’t already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) to complete your Exploit protection customization. +If you haven’t already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) to complete your Exploit protection customization. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 2b7764fdb5..3019dd13f6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -11,16 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 08/09/2018 --- # Troubleshoot Network protection **Applies to:** -- Windows 10, version 1709 or higher +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + -**Audience** - IT administrators diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 99973955de..1613918bd9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- @@ -21,13 +21,12 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + -**Audience** -- Enterprise security administrators Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. @@ -52,13 +51,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. -Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes: -- [Windows Defender Security Center](../windows-defender-atp/windows-defender-security-center-atp.md) -- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md) -- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) +Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. -You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. +You can use the Windows Defender Security Center to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. ## Requirements @@ -68,13 +63,12 @@ This section covers requirements for each feature in Windows Defender EG. |--------|---------| | ![not supported](./images/ball_empty.png) | Not supported | | ![supported](./images/ball_50.png) | Supported | -| ![supported, enhanced](./images/ball_75.png) | Includes advanced exploit protection for the kernel mode via [HVCI](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity) | -| ![supported, full reporting](./images/ball_full.png) | Includes automated reporting into the Windows Defender ATP console| +| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an Attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | -| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | +| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) | | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | @@ -92,9 +86,9 @@ The following table lists which features in Windows Defender EG require enabling Topic | Description ---|--- -[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. -[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. -[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors. +[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. +[Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. +[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors. [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. diff --git a/windows/security/threat-protection/windows-defender-security-center/TOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md similarity index 100% rename from windows/security/threat-protection/windows-defender-security-center/TOC.md rename to windows/security/threat-protection/windows-defender-security-center/oldTOC.md diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md new file mode 100644 index 0000000000..19f2d4873f --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/TOC.md @@ -0,0 +1,109 @@ +# [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) +## [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) +## [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md) +## [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) +## [Design Guide](windows-firewall-with-advanced-security-design-guide.md) +### [Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) +### [Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) +#### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) +#### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) +#### [Require Encryption](require-encryption-when-accessing-sensitive-network-resources.md) +#### [Restrict Access](restrict-access-to-only-specified-users-or-devices.md) +### [Mapping Goals to a Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) +#### [Basic Design](basic-firewall-policy-design.md) +#### [Domain Isolation Design](domain-isolation-policy-design.md) +#### [Server Isolation Design](server-isolation-policy-design.md) +#### [Certificate-based Isolation Design](certificate-based-isolation-policy-design.md) +### [Evaluating Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) +#### [Basic Design Example](firewall-policy-design-example.md) +#### [Domain Isolation Design Example](domain-isolation-policy-design-example.md) +#### [Server Isolation Design Example](server-isolation-policy-design-example.md) +#### [Certificate-based Isolation Design Example](certificate-based-isolation-policy-design-example.md) +### [Designing a Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) +#### [Gathering the Info You Need](gathering-the-information-you-need.md) +##### [Network](gathering-information-about-your-current-network-infrastructure.md) +##### [Active Directory](gathering-information-about-your-active-directory-deployment.md) +##### [Computers](gathering-information-about-your-devices.md) +##### [Other Relevant Information](gathering-other-relevant-information.md) +#### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md) +### [Planning Your Design](planning-your-windows-firewall-with-advanced-security-design.md) +#### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) +#### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) +##### [Exemption List](exemption-list.md) +##### [Isolated Domain](isolated-domain.md) +##### [Boundary Zone](boundary-zone.md) +##### [Encryption Zone](encryption-zone.md) +#### [Planning Server Isolation Zones](planning-server-isolation-zones.md) +#### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) +##### [Documenting the Zones](documenting-the-zones.md) +##### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) +###### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) +###### [Planning Network Access Groups](planning-network-access-groups.md) +###### [Planning the GPOs](planning-the-gpos.md) +####### [Firewall GPOs](firewall-gpos.md) +######## [GPO_DOMISO_Firewall](gpo-domiso-firewall.md) +####### [Isolated Domain GPOs](isolated-domain-gpos.md) +######## [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md) +######## [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md) +####### [Boundary Zone GPOs](boundary-zone-gpos.md) +######## [GPO_DOMISO_Boundary](gpo-domiso-boundary.md) +####### [Encryption Zone GPOs](encryption-zone-gpos.md) +######## [GPO_DOMISO_Encryption](gpo-domiso-encryption.md) +####### [Server Isolation GPOs](server-isolation-gpos.md) +###### [Planning GPO Deployment](planning-gpo-deployment.md) +### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) +## [Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) +### [Planning to Deploy](planning-to-deploy-windows-firewall-with-advanced-security.md) +### [Implementing Your Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) +### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) +### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md) +### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md) +### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md) +### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md) +### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) +#### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md) +#### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md) +#### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md) +#### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md) +### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md) +#### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md) +#### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md) +### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) +### [Procedures Used in This Guide](procedures-used-in-this-guide.md) +#### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) +#### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) +#### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) +#### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) +#### [Configure Authentication Methods](configure-authentication-methods.md) +#### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md) +#### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) +#### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md) +#### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) +#### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) +#### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md) +#### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) +#### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) +#### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) +#### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) +#### [Create a Group Policy Object](create-a-group-policy-object.md) +#### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) +#### [Create an Authentication Request Rule](create-an-authentication-request-rule.md) +#### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) +#### [Create an Inbound Port Rule](create-an-inbound-port-rule.md) +#### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) +#### [Create an Outbound Port Rule](create-an-outbound-port-rule.md) +#### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) +#### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) +#### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) +#### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) +#### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) +#### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) +#### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) +#### [Modify GPO Filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) +#### [Open IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) +#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md) +#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) +#### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md) +#### [Restrict Server Access](restrict-server-access-to-members-of-a-group-only.md) +#### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md) +#### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md) diff --git a/windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md rename to windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index 8df6f869aa..98a41989a0 100644 --- a/windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md rename to windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index 281ad6dac7..01300466cb 100644 --- a/windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md rename to windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 5cebf022c7..80be70956a 100644 --- a/windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md rename to windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 6b62911649..ca09cb0b1b 100644 --- a/windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md rename to windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index c42b348566..52a0ff1746 100644 --- a/windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md rename to windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md index 1cd6e00adf..c6efd1da85 100644 --- a/windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/boundary-zone.md rename to windows/security/threat-protection/windows-firewall/boundary-zone.md index 8bbf2b4e08..4b8a3f82d9 100644 --- a/windows/security/identity-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md rename to windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 1b0eb72de4..a3077b6d8b 100644 --- a/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md rename to windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index bdd5a0c1de..5703ac0670 100644 --- a/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md rename to windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index 1b9c21d3ce..62420de298 100644 --- a/windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md rename to windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index 0a85219b4b..0494cf7b90 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index 8f72339a24..cc95a9fe0e 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 73e079e959..36a838b94a 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index 23127bc7f3..c0097b7a82 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index 8ee694fdd7..59459f5637 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index 2d8c7601d4..12aff1bf77 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md rename to windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index f405e2bb9a..b42bfc69b3 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md rename to windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md index 5df5d2c5b6..7b6bd39b54 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md rename to windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md index 483fe71c65..559291765a 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md rename to windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index f072701a49..9a7e901ac8 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md rename to windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 99969245fc..d58d940b08 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md rename to windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index dc40a91804..e482d00b69 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md rename to windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index 8a58ee4cde..18e9197b4e 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md rename to windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 2b9b09d474..dcf7575556 100644 --- a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/configure-authentication-methods.md rename to windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index d0a86b59f7..b23f0c7d01 100644 --- a/windows/security/identity-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security - +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md rename to windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 95c923e55b..05db2ff779 100644 --- a/windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md rename to windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md index 8b65b64896..63802f55e1 100644 --- a/windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md rename to windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index 4ebecbd05c..4ec20e462c 100644 --- a/windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md rename to windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index 011e37612c..b9cb9944ae 100644 --- a/windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md rename to windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index d108f8e07b..ba32647e26 100644 --- a/windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security - +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md rename to windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index 840bf5b9b7..b3e437f93d 100644 --- a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: Justinha ms.date: 07/30/2018 --- diff --git a/windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md rename to windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 69fe26b5c4..b0f250ecfb 100644 --- a/windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md rename to windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md index c8b0f4c9f5..1895dc3017 100644 --- a/windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: securit +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md rename to windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 6199641b1f..af70080d9b 100644 --- a/windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md rename to windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md index acf2f55a73..9aefd85144 100644 --- a/windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md rename to windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index 4cbdd983d0..dd292b0bea 100644 --- a/windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md rename to windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index 06f204cb58..f9d1765c2f 100644 --- a/windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md rename to windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index edf9d7479c..efde773a84 100644 --- a/windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md rename to windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md index 4ddb3567bf..a4ecccf7e2 100644 --- a/windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md rename to windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index 066e7e1ea1..d20966c5d7 100644 --- a/windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md rename to windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index 301a6ed8f0..36d61e5346 100644 --- a/windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md rename to windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index 9e07ad036f..4f3a998eee 100644 --- a/windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md rename to windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index 293c0b91b8..f0d4c6761c 100644 --- a/windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md rename to windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index a2be760876..aec0ec391f 100644 --- a/windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md rename to windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 8f0ee31021..7744378add 100644 --- a/windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 05/25/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md rename to windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 2ed2c83937..48712e94eb 100644 --- a/windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md rename to windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index 1169fd195d..5023cacc9c 100644 --- a/windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/documenting-the-zones.md rename to windows/security/threat-protection/windows-firewall/documenting-the-zones.md index 092e1b70c1..ee0a546b86 100644 --- a/windows/security/identity-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md rename to windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index b6738968f0..cb91e6f3ab 100644 --- a/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md rename to windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 97c2561cf6..db21ce0ac9 100644 --- a/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md rename to windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index 7f83f9dc04..825edaca3a 100644 --- a/windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md rename to windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 21011137b7..df3c7329ae 100644 --- a/windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md rename to windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index a3169a163b..6ed1c4c636 100644 --- a/windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/encryption-zone.md rename to windows/security/threat-protection/windows-firewall/encryption-zone.md index 29681be588..35aa4212f1 100644 --- a/windows/security/identity-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md rename to windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index e0bcd65419..720c7272ac 100644 --- a/windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md rename to windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index 5e47503c42..4cf8c409e1 100644 --- a/windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/exemption-list.md rename to windows/security/threat-protection/windows-firewall/exemption-list.md index 7f06dcc4f1..21a3e2c957 100644 --- a/windows/security/identity-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md similarity index 95% rename from windows/security/identity-protection/windows-firewall/firewall-gpos.md rename to windows/security/threat-protection/windows-firewall/firewall-gpos.md index 5c244fa5b6..ad1d17f139 100644 --- a/windows/security/identity-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md rename to windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 76d4cb1d81..07ca7e7c61 100644 --- a/windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md rename to windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index ab28af81ed..4c2a252889 100644 --- a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md rename to windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 6c6f869bbc..c3a22d6df6 100644 --- a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md rename to windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 1d21b2750c..8c1b016757 100644 --- a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md rename to windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index bbe338e32b..2ecc649ffb 100644 --- a/windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md rename to windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index 267025d913..b2c85e5dd0 100644 --- a/windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md rename to windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index ecac9fe271..38018ab8e2 100644 --- a/windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md rename to windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index 3d554f3a9e..99ff5ffcf6 100644 --- a/windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md rename to windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 2d72894c44..bed2d46cda 100644 --- a/windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md rename to windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index 6ca14e5412..1f645f91c2 100644 --- a/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md rename to windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index 31c28d7a4f..f13c70d1c7 100644 --- a/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md rename to windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 78403c5c87..30a391a025 100644 --- a/windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/images/corpnet.gif b/windows/security/threat-protection/windows-firewall/images/corpnet.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/corpnet.gif rename to windows/security/threat-protection/windows-firewall/images/corpnet.gif diff --git a/windows/security/identity-protection/windows-firewall/images/createipsecrule.gif b/windows/security/threat-protection/windows-firewall/images/createipsecrule.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/createipsecrule.gif rename to windows/security/threat-protection/windows-firewall/images/createipsecrule.gif diff --git a/windows/security/identity-protection/windows-firewall/images/powershelllogosmall.gif b/windows/security/threat-protection/windows-firewall/images/powershelllogosmall.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/powershelllogosmall.gif rename to windows/security/threat-protection/windows-firewall/images/powershelllogosmall.gif diff --git a/windows/security/identity-protection/windows-firewall/images/qmcryptoset.gif b/windows/security/threat-protection/windows-firewall/images/qmcryptoset.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/qmcryptoset.gif rename to windows/security/threat-protection/windows-firewall/images/qmcryptoset.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-design2example1.gif b/windows/security/threat-protection/windows-firewall/images/wfas-design2example1.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-design2example1.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-design2example1.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-design3example1.gif b/windows/security/threat-protection/windows-firewall/images/wfas-design3example1.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-design3example1.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-design3example1.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-designexample1.gif b/windows/security/threat-protection/windows-firewall/images/wfas-designexample1.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-designexample1.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-designexample1.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-designflowchart1.gif b/windows/security/threat-protection/windows-firewall/images/wfas-designflowchart1.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-designflowchart1.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-designflowchart1.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-domainiso.gif b/windows/security/threat-protection/windows-firewall/images/wfas-domainiso.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-domainiso.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-domainiso.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-domainisoencrypt.gif b/windows/security/threat-protection/windows-firewall/images/wfas-domainisoencrypt.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-domainisoencrypt.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-domainisoencrypt.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-domainisohighsec.gif b/windows/security/threat-protection/windows-firewall/images/wfas-domainisohighsec.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-domainisohighsec.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-domainisohighsec.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-domainnag.gif b/windows/security/threat-protection/windows-firewall/images/wfas-domainnag.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-domainnag.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-domainnag.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-icon-checkbox.gif b/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-icon-checkbox.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-implement.gif b/windows/security/threat-protection/windows-firewall/images/wfas-implement.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfas-implement.gif rename to windows/security/threat-protection/windows-firewall/images/wfas-implement.gif diff --git a/windows/security/identity-protection/windows-firewall/images/wfasdomainisoboundary.gif b/windows/security/threat-protection/windows-firewall/images/wfasdomainisoboundary.gif similarity index 100% rename from windows/security/identity-protection/windows-firewall/images/wfasdomainisoboundary.gif rename to windows/security/threat-protection/windows-firewall/images/wfasdomainisoboundary.gif diff --git a/windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md rename to windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 88bf7a60c3..e40d8d7a2e 100644 --- a/windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md rename to windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index 584608f5b5..d32fbbad7b 100644 --- a/windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/isolated-domain.md rename to windows/security/threat-protection/windows-firewall/isolated-domain.md index ff2b3914ed..32a9043172 100644 --- a/windows/security/identity-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md rename to windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index fa46126446..ca4b001e6a 100644 --- a/windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -5,6 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 10/13/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md rename to windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 60fbc82328..746570ffbd 100644 --- a/windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md rename to windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index e1793dc9f8..7eefeac0b2 100644 --- a/windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md rename to windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 9c3e678890..d45ed57dfc 100644 --- a/windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md similarity index 96% rename from windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md rename to windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index 6c935f8c41..2894154e47 100644 --- a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md rename to windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index f99c3dfeb5..f4e67423c5 100644 --- a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md similarity index 95% rename from windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md rename to windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 04fceb336d..485b4917f9 100644 --- a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/02/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md rename to windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index d14fa0d2a9..a49296f5d8 100644 --- a/windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md rename to windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index e876f9cde7..75bbce24b9 100644 --- a/windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md rename to windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index 717d5b0f83..9ec2562b8a 100644 --- a/windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md rename to windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 12e737f353..6222a6da9c 100644 --- a/windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md similarity index 97% rename from windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md rename to windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 9cdb57a7f3..d43c0a263c 100644 --- a/windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/planning-isolation-groups-for-the-zones.md rename to windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index 44804c8c56..38d6aa0b45 100644 --- a/windows/security/identity-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/planning-network-access-groups.md rename to windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 39d5ac3285..2a53064efd 100644 --- a/windows/security/identity-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/planning-server-isolation-zones.md rename to windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index 91b3f895f0..0dc7dc181b 100644 --- a/windows/security/identity-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md rename to windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index e5b08697f1..73a2f757c7 100644 --- a/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/planning-the-gpos.md rename to windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 7223799e78..f3db2bbad9 100644 --- a/windows/security/identity-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md rename to windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index ebd4d51ffc..9a39c0de1d 100644 --- a/windows/security/identity-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md rename to windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 3f7fedacfe..a2f19872e7 100644 --- a/windows/security/identity-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/procedures-used-in-this-guide.md rename to windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index cd7c4edaf0..d3ae509319 100644 --- a/windows/security/identity-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md rename to windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index d885b6bab9..2ab0ca6442 100644 --- a/windows/security/identity-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md rename to windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 779a932959..b9a8de9993 100644 --- a/windows/security/identity-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md rename to windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index 05964574a6..05a97f9e40 100644 --- a/windows/security/identity-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/restrict-access-to-only-trusted-devices.md rename to windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 9bdfeb710a..4ff811eafc 100644 --- a/windows/security/identity-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md rename to windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index c7896c65f7..565a73b576 100644 --- a/windows/security/identity-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md rename to windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index e7d37ede27..6bac7d1d1f 100644 --- a/windows/security/identity-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -5,6 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/server-isolation-gpos.md rename to windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index b59c41958c..5d7aec4d89 100644 --- a/windows/security/identity-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/server-isolation-policy-design-example.md rename to windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index 4b13a1d554..a0bac113cf 100644 --- a/windows/security/identity-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/server-isolation-policy-design.md rename to windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 4a20f290d1..016568e7c7 100644 --- a/windows/security/identity-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md rename to windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index 5d8b1b2e47..1dae92ce6c 100644 --- a/windows/security/identity-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md similarity index 98% rename from windows/security/identity-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md rename to windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 2c0c44064d..5be8b4b176 100644 --- a/windows/security/identity-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -5,6 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md rename to windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index d981220703..a41e88727a 100644 --- a/windows/security/identity-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md rename to windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index e981de63b8..64ec16e1ac 100644 --- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -5,6 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md rename to windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index 7167d7496a..b89e03159e 100644 --- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 08/17/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md similarity index 99% rename from windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md rename to windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 7714a6969c..17bc826d98 100644 --- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 10/05/2017 --- diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md similarity index 94% rename from windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security.md rename to windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 9bf49e209f..9b266aec88 100644 --- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -5,6 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: brianlic-msft ms.date: 10/13/2017 --- @@ -38,7 +39,7 @@ To help address your organizational network security challenges, Windows Defende | Topic | Description | - | - | | [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Microsoft Store apps that run on devices. | -| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. | +| [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. | | [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. | | [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. | | [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Defender Firewall with Advanced Security. | diff --git a/windows/security/wdatp/images/WDATP-components.png b/windows/security/wdatp/images/WDATP-components.png deleted file mode 100644 index 51f4335265..0000000000 Binary files a/windows/security/wdatp/images/WDATP-components.png and /dev/null differ diff --git a/windows/security/wdatp/images/wdatp-pillars.png b/windows/security/wdatp/images/wdatp-pillars.png deleted file mode 100644 index 06ad5e6ed2..0000000000 Binary files a/windows/security/wdatp/images/wdatp-pillars.png and /dev/null differ diff --git a/windows/security/wdatp/images/wdatp-pillars2.png b/windows/security/wdatp/images/wdatp-pillars2.png deleted file mode 100644 index bbe88f3638..0000000000 Binary files a/windows/security/wdatp/images/wdatp-pillars2.png and /dev/null differ diff --git a/windows/security/wdatp/index.md b/windows/security/wdatp/index.md deleted file mode 100644 index cb401fa3e4..0000000000 --- a/windows/security/wdatp/index.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Windows Defender Advanced Threat Protection -description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. -keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.date: 06/04/2018 ---- - -# Windows Defender Advanced Threat Protection - -Windows Defender Advanced Threat Protection (Windows Defender ATP)is a unified platform for preventative protection, post-breach detection, automated investigation and response, employing intelligent protection to protect endpoints from cyber threats. - - -![Windows Defender ATP components](images/wdatp-pillars2.png) - -**Attack surface reduction**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. - -**Next generation protection**
-To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. - -**Endpoint detection and response**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. - -**Auto investigation and remediation**
-In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - -**Security posture**
-Windows Defender ATP also provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. - -**Management and APIs**
-Windows Defender ATP provides integrated configuration management in the cloud. The service also supports third-party mobile device management (MDM) tools, cross-platform support, and APIs that allow customers to create custom threat intelligence and automate workflows. - -Understand how capabilities align within the Windows Defender ATP suite offering: - - - Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation and remediation | Security posture -:---|:---|:---|:---|:--- - [Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/)

[Application control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)

[Exploit protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)

[Network protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

[Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) | [Machine learning](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)

[Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)

[Threat intelligence](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)

[Sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) | [Response containment](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

[Realtime and historical threat hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)

[Threat intelligence and custom detections](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Forensic collection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)

[Response orchestration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

[Historical endpoint data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)

[Artificial intelligence response playbooks](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | [Asset inventory](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
[Operating system baseline compliance](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Recommended improvement actions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection#improvement-opportunities)

[Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Threat analytics](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)

[Reporting and trends](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection) - -These capabilities are available across multiple products that make up the Windows Defender ATP platform. For more information on how to leverage all the Windows Defender ATP capabilities, see [Threat protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/index). - -