From 8a5d3e087d1ffdb8fa1f6b00bb298fd4a058d0bc Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 17 Jul 2020 16:45:44 +0500 Subject: [PATCH 01/18] Update configure-extension-file-exclusions-microsoft-defender-antivirus.md --- ...re-extension-file-exclusions-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 17b4284fa0..8f9e75d1de 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -30,7 +30,7 @@ manager: dansimp You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. > [!NOTE] -> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. +> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in Windows Security app and PowerShell. This article describes how to configure exclusion lists for the files and folders. From e6d142d26c321b63e036da89b25ca3e69e43afbe Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 19 Jul 2020 12:32:17 +0500 Subject: [PATCH 02/18] Update windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...re-extension-file-exclusions-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 8f9e75d1de..c730506401 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -30,7 +30,7 @@ manager: dansimp You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. > [!NOTE] -> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in Windows Security app and PowerShell. +> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell. This article describes how to configure exclusion lists for the files and folders. From 74749d8b7cba673f59d7ac7cb58f96396226b309 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Mon, 20 Jul 2020 17:29:03 +0300 Subject: [PATCH 03/18] Update offboard-machines.md Adding important notes to help with customer confusion and avoid un-needed calls to support --- .../microsoft-defender-atp/offboard-machines.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 65e82f7f8a..61c0948f1c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -41,3 +41,7 @@ Follow the corresponding instructions depending on your preferred deployment met ## Offboard non-Windows devices - [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices) + +>[!NOTE] +> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data will expire. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding. +> In addition, [Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.](tvm-dashboard-insights.md) From bea4fc3ef606da2dfa0c8eb6dedef316bff319de Mon Sep 17 00:00:00 2001 From: Narkis Engler <41025789+narkissit@users.noreply.github.com> Date: Mon, 20 Jul 2020 19:39:09 -0700 Subject: [PATCH 04/18] Update waas-delivery-optimization-setup.md "CacheSummary" was never added as a flag (may have been a left over in an old spec) --- windows/deployment/update/waas-delivery-optimization-setup.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 983594b78b..0dca1d9e70 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -148,8 +148,6 @@ Using the `-Verbose` option returns additional information: **Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers. -Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. - Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. #### Manage the Delivery Optimization cache From fa32ae9240ca83e30001ae7f191a0345f23b565b Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Tue, 21 Jul 2020 13:32:25 +0300 Subject: [PATCH 05/18] Update minimum-requirements.md fixed minor typo. "Windows 10 Enterprise 2016 LTSB edition" - LTSC naming convection started with 2019 version. reference: https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet --- .../microsoft-defender-atp/minimum-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 8f47832251..c623b0280f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -97,7 +97,7 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for > [!NOTE] > Machines running mobile versions of Windows are not supported. > -> Virtual Machines running Windows 10 Enterprise 2016 LTSC (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms. +> Virtual Machines running Windows 10 Enterprise 2016 LTSB (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms. > > For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 (which is based on Windows 10, version 1809) or later. From 599e62e812bcb5ffd57448de761abeb659a8a99f Mon Sep 17 00:00:00 2001 From: mirandalysha <45540211+mirandalysha@users.noreply.github.com> Date: Tue, 21 Jul 2020 16:45:48 -0500 Subject: [PATCH 06/18] Update kiosk-prepare.md small typo correction that kept bothering me --- windows/configuration/kiosk-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index aaa526a014..f4825a951e 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -158,7 +158,7 @@ The following table describes some features that have interoperability issues we

Key sequences blocked by assigned access

When in assigned access, some key combinations are blocked for assigned access users.

-

Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.

+

Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.

Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings.

From 9e1a23372ae34481026d2e37b085fc1ffcc0629b Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Tue, 21 Jul 2020 14:52:42 -0700 Subject: [PATCH 07/18] Update hello-how-it-works-authentication.md Added notes to call out remote work related feedback that requires LoS to DC in key-trust and cert-trust as pre reqs for first time logon. --- .../hello-for-business/hello-how-it-works-authentication.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index c75524b41e..cb21e54fe3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -74,6 +74,9 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.| |G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| +> [!IMPORTANT] +> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time. + ## Hybrid Azure AD join authentication using a Certificate ![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png) @@ -87,3 +90,5 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.| |G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| +> [!IMPORTANT] +> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller for the first time. From 754027d1713d097647ac5a04f2e311c71ed08d32 Mon Sep 17 00:00:00 2001 From: EfiKliger <45028856+EfiKliger@users.noreply.github.com> Date: Wed, 22 Jul 2020 10:36:11 +0300 Subject: [PATCH 08/18] Update indicator-certificates.md --- .../microsoft-defender-atp/indicator-certificates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md index e0233b7ae1..a60e510583 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -18,7 +18,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Create indicators based on certificates (preview) +# Create indicators based on certificates **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -69,4 +69,4 @@ It's important to understand the following requirements prior to creating indica - [Create indicators](manage-indicators.md) - [Create indicators for files](indicator-file.md) - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) -- [Manage indicators](indicator-manage.md) \ No newline at end of file +- [Manage indicators](indicator-manage.md) From 812a6541eb0b0d9891c44d839fc88722b966c94f Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Wed, 22 Jul 2020 04:08:48 -0700 Subject: [PATCH 09/18] Change ownership contact Change ownership contact --- .../windows-endpoints-1903-non-enterprise-editions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index 43a5191c6b..d7c0067220 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -8,11 +8,11 @@ ms.sitesec: library ms.localizationpriority: high audience: ITPro author: mikeedgar -ms.author: sanashar -manager: sanashar +ms.author: obezeajo +manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 5/9/2019 +ms.date: 7/22/2019 --- # Windows 10, version 1903, connection endpoints for non-Enterprise editions From 1df43f5a2d58bf669c681d640e6f29a9867dbfd9 Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Wed, 22 Jul 2020 04:10:23 -0700 Subject: [PATCH 10/18] Changed ownership contact Changed ownership contact --- windows/privacy/manage-windows-1903-endpoints.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 9d9c6e8fe4..580f8b4425 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -7,12 +7,12 @@ ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: high audience: ITPro -author: danihalfin -ms.author: dansimp -manager: sanashar +author: obezeajo +ms.author: obezeajo +manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 5/3/2019 +ms.date: 7/22/2020 --- # Manage connection endpoints for Windows 10 Enterprise, version 1903 From 70b19905d84388325d3a784773989a42e928989a Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Wed, 22 Jul 2020 04:11:24 -0700 Subject: [PATCH 11/18] Update windows-endpoints-1903-non-enterprise-editions.md --- .../privacy/windows-endpoints-1903-non-enterprise-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index d7c0067220..c4bb922fb2 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -12,7 +12,7 @@ ms.author: obezeajo manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 7/22/2019 +ms.date: 7/22/2020 --- # Windows 10, version 1903, connection endpoints for non-Enterprise editions From 39b11c25f70498bfecd2e0af71ffc2d25faa2c93 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 22 Jul 2020 17:06:10 +0500 Subject: [PATCH 12/18] Licenses requirements update I have updated license requirements for Microsoft Defender Advanced Threat Protection. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/7094 --- .../microsoft-defender-atp/minimum-requirements.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index a5cadb6150..a6aa522490 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -42,6 +42,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr > [!NOTE] > Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. +> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via CSP it does not require Microsoft Volume Licensing offers listed. Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). From 95b3c018ce247f3780a727982db6b47b6ae33bc3 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 22 Jul 2020 09:26:53 -0700 Subject: [PATCH 13/18] Update scheduled-catch-up-scans-microsoft-defender-antivirus.md added the below note under "Start scheduled scans only when the endpoint is not in use": These scans will not honor the CPU throttling configuration and take full advantage of the resources available to complete the scan as fast as possible. --- .../scheduled-catch-up-scans-microsoft-defender-antivirus.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index a155de8626..8c3130a2e5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -109,10 +109,13 @@ See the following for more information and allowed parameters: -## Start scheduled scans only when the endpoint is not in use +## tart scheduled scans only when the endpoint is not in use You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI. +> [!NOTE] +> These scans will not honor the CPU throttling configuration and take full advantage of the resources available to complete the scan as fast as possible. + **Use Group Policy to schedule scans** Location | Setting | Description | Default setting (if not configured) From 0e7e96ce2e860532f981594308dc497684146aca Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 22 Jul 2020 22:25:21 +0500 Subject: [PATCH 14/18] Update windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/minimum-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index a6aa522490..fa3813e24a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -42,7 +42,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr > [!NOTE] > Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. -> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via CSP it does not require Microsoft Volume Licensing offers listed. +> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed. Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). From 22543b927dffbe1ff9fbaf272890451587c67c2e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 22 Jul 2020 22:25:36 +0500 Subject: [PATCH 15/18] Update windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/minimum-requirements.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index fa3813e24a..8e0bff785b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -45,7 +45,6 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr > Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed. -Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options: From d85cf19ae2f4cfbd1fbea823e32de1c5d7ceb643 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 22 Jul 2020 10:43:09 -0700 Subject: [PATCH 16/18] Update scheduled-catch-up-scans-microsoft-defender-antivirus.md --- ...h-up-scans-microsoft-defender-antivirus.md | 35 ++++++++----------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index 8c3130a2e5..ce7ad86555 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 12/10/2018 +ms.date: 07/22/2020 ms.reviewer: manager: dansimp --- @@ -71,7 +71,7 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli >[!NOTE] >If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time. -**Use Group Policy to schedule scans:** +### Use Group Policy to schedule scans Location | Setting | Description | Default setting (if not configured) ---|---|---|--- @@ -80,7 +80,7 @@ Scan | Specify the day of the week to run a scheduled scan | Specify the day (or Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled -**Use PowerShell cmdlets to schedule scans:** +### Use PowerShell cmdlets to schedule scans Use the following cmdlets: @@ -94,7 +94,7 @@ Set-MpPreference -RandomizeScheduleTaskTimes See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -**Use Windows Management Instruction (WMI) to schedule scans:** +### Use Windows Management Instruction (WMI) to schedule scans Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -109,20 +109,20 @@ See the following for more information and allowed parameters: -## tart scheduled scans only when the endpoint is not in use +## Start scheduled scans only when the endpoint is not in use You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI. > [!NOTE] > These scans will not honor the CPU throttling configuration and take full advantage of the resources available to complete the scan as fast as possible. -**Use Group Policy to schedule scans** +### Use Group Policy to schedule scans Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled -**Use PowerShell cmdlets:** +### Use PowerShell cmdlets Use the following cmdlets: @@ -132,7 +132,7 @@ Set-MpPreference -ScanOnlyIfIdleEnabled See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -**Use Windows Management Instruction (WMI):** +### Use Windows Management Instruction (WMI) Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -149,15 +149,14 @@ See the following for more information and allowed parameters: Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI. - -**Use Group Policy to schedule remediation-required scans** +### Use Group Policy to schedule remediation-required scans Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am -**Use PowerShell cmdlets:** +### Use PowerShell cmdlets Use the following cmdlets: @@ -168,7 +167,7 @@ Set-MpPreference -RemediationScheduleTime See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -**Use Windows Management Instruction (WMI):** +### Use Windows Management Instruction (WMI) Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -188,14 +187,14 @@ See the following for more information and allowed parameters: You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI. -**Use Group Policy to schedule daily scans:** +### Use Group Policy to schedule daily scans Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am -**Use PowerShell cmdlets to schedule daily scans:** +### Use PowerShell cmdlets to schedule daily scans Use the following cmdlets: @@ -205,7 +204,7 @@ Set-MpPreference -ScanScheduleQuickTime See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -**Use Windows Management Instruction (WMI) to schedule daily scans:** +### Use Windows Management Instruction (WMI) to schedule daily scans Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -222,16 +221,12 @@ See the following for more information and allowed parameters: You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy. -**Use Group Policy to schedule scans after protection updates** +### Use Group Policy to schedule scans after protection updates Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled - - - - ## Related topics From d0fac2280eab8a69909c8db30b03c6adfdfbba4c Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 22 Jul 2020 21:27:07 +0300 Subject: [PATCH 17/18] Update offboard-machines.md --- .../microsoft-defender-atp/offboard-machines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 61c0948f1c..682b701bc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -43,5 +43,5 @@ Follow the corresponding instructions depending on your preferred deployment met - [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices) >[!NOTE] -> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data will expire. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding. +> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data expires. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding. > In addition, [Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.](tvm-dashboard-insights.md) From b0aa842360f65a47516ce351c1f4ddef015e4816 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 22 Jul 2020 21:37:07 +0300 Subject: [PATCH 18/18] Update offboard-machines.md Added a sentence about filtering --- .../microsoft-defender-atp/offboard-machines.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 682b701bc5..8303ff7803 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -43,5 +43,6 @@ Follow the corresponding instructions depending on your preferred deployment met - [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices) >[!NOTE] -> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data expires. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding. -> In addition, [Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.](tvm-dashboard-insights.md) +> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data expires. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding.
+> In addition, [Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.](tvm-dashboard-insights.md)
+> To view only active devices, you can filter by [health state](machines-view-overview.md#health-state) or by [device tags](machine-tags.md) and [groups](machine-groups.md) etc.