deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 15:23:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #742 from MicrosoftDocs/public

Browse Source 
Public to private master merge
This commit is contained in:
Daniel Simpson
2019-07-23 12:17:38 -07:00
committed by GitHub
parent bcadb3aef6 57c0720185
commit 78c6f252d2
326 changed files with 3419 additions and 2601 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/threat-protection/auditing/audit-application-generated.md
View File

@ -20,24 +20,22 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx).
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
| Workstation | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
**Events List:**
## 4665: An attempt was made to create an application client context.
- 4665: An attempt was made to create an application client context.
## 4666: An application attempted an operation.
- 4666: An application attempted an operation.
## 4667: An application client context was deleted.
## 4668: An application was initialized.
- 4667: An application client context was deleted.
- 4668: An application was initialized.

22
windows/security/threat-protection/auditing/audit-application-group-management.md
View File

@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions.
[Application groups](https://technet.microsoft.com/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx).
@ -33,23 +32,22 @@ Audit Application Group Management subcategory is out of scope of this document,
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
## 4783(S): A basic application group was created.
- 4783(S): A basic application group was created.
## 4784(S): A basic application group was changed.
- 4784(S): A basic application group was changed.
## 4785(S): A member was added to a basic application group.
- 4785(S): A member was added to a basic application group.
## 4786(S): A member was removed from a basic application group.
- 4786(S): A member was removed from a basic application group.
## 4787(S): A non-member was added to a basic application group.
- 4787(S): A non-member was added to a basic application group.
## 4788(S): A non-member was removed from a basic application group.
- 4788(S): A non-member was removed from a basic application group.
## 4789(S): A basic application group was deleted.
- 4789(S): A basic application group was deleted.
## 4790(S): An LDAP query group was created.
- 4790(S): An LDAP query group was created.
## 4791(S): An LDAP query group was changed.
## 4792(S): An LDAP query group was deleted.
- 4791(S): An LDAP query group was changed.
- 4792(S): An LDAP query group was deleted.

64
windows/security/threat-protection/auditing/audit-certification-services.md
View File

@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
@ -59,65 +58,64 @@ Role-specific subcategories are outside the scope of this document.
| Member Server | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. |
## 4868: The certificate manager denied a pending certificate request.
- 4868: The certificate manager denied a pending certificate request.
## 4869: Certificate Services received a resubmitted certificate request.
- 4869: Certificate Services received a resubmitted certificate request.
## 4870: Certificate Services revoked a certificate.
- 4870: Certificate Services revoked a certificate.
## 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
- 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
## 4872: Certificate Services published the certificate revocation list (CRL).
- 4872: Certificate Services published the certificate revocation list (CRL).
## 4873: A certificate request extension changed.
- 4873: A certificate request extension changed.
## 4874: One or more certificate request attributes changed.
- 4874: One or more certificate request attributes changed.
## 4875: Certificate Services received a request to shut down.
- 4875: Certificate Services received a request to shut down.
## 4876: Certificate Services backup started.
- 4876: Certificate Services backup started.
## 4877: Certificate Services backup completed.
- 4877: Certificate Services backup completed.
## 4878: Certificate Services restore started.
- 4878: Certificate Services restore started.
## 4879: Certificate Services restore completed.
- 4879: Certificate Services restore completed.
## 4880: Certificate Services started.
- 4880: Certificate Services started.
## 4881: Certificate Services stopped.
- 4881: Certificate Services stopped.
## 4882: The security permissions for Certificate Services changed.
- 4882: The security permissions for Certificate Services changed.
## 4883: Certificate Services retrieved an archived key.
- 4883: Certificate Services retrieved an archived key.
## 4884: Certificate Services imported a certificate into its database.
- 4884: Certificate Services imported a certificate into its database.
## 4885: The audit filter for Certificate Services changed.
- 4885: The audit filter for Certificate Services changed.
## 4886: Certificate Services received a certificate request.
- 4886: Certificate Services received a certificate request.
## 4887: Certificate Services approved a certificate request and issued a certificate.
- 4887: Certificate Services approved a certificate request and issued a certificate.
## 4888: Certificate Services denied a certificate request.
- 4888: Certificate Services denied a certificate request.
## 4889: Certificate Services set the status of a certificate request to pending.
- 4889: Certificate Services set the status of a certificate request to pending.
## 4890: The certificate manager settings for Certificate Services changed.
- 4890: The certificate manager settings for Certificate Services changed.
## 4891: A configuration entry changed in Certificate Services.
- 4891: A configuration entry changed in Certificate Services.
## 4892: A property of Certificate Services changed.
- 4892: A property of Certificate Services changed.
## 4893: Certificate Services archived a key.
- 4893: Certificate Services archived a key.
## 4894: Certificate Services imported and archived a key.
- 4894: Certificate Services imported and archived a key.
## 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
- 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
## 4896: One or more rows have been deleted from the certificate database.
- 4896: One or more rows have been deleted from the certificate database.
## 4897: Role separation enabled.
## 4898: Certificate Services loaded a template.
- 4897: Role separation enabled.
- 4898: Certificate Services loaded a template.

46
windows/security/threat-protection/auditing/audit-distribution-group-management.md
View File

@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
This subcategory generates events only on domain controllers.
@ -29,47 +28,46 @@ This subcategory generates events only on domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
- Distribution group is created, changed, or deleted.
- Distribution group is created, changed, or deleted.
- Member is added or removed from a distribution group.
- Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A groups type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | No | IF | No | IF - Typically, actions related to distribution groups have low security relevance. It is much more important to monitor Security Group changes. However, if you want to monitor for critical distribution groups changes, such as if a member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically, volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
**Events List:**
- [4749](event-4749.md)(S): A security-disabled global group was created.
- [4749](event-4749.md)(S): A security-disabled global group was created.
- [4750](event-4750.md)(S): A security-disabled global group was changed.
- [4750](event-4750.md)(S): A security-disabled global group was changed.
- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
- [4753](event-4753.md)(S): A security-disabled global group was deleted.
- [4753](event-4753.md)(S): A security-disabled global group was deleted.
**4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created. Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4759(S): A security-disabled universal group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4759 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed. Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4760(S): A security-disabled universal group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4760 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group. Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4761(S): A member was added to a security-disabled universal group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4761 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group. Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4762(S): A member was removed from a security-disabled universal group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4762 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted. Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4763(S): A security-disabled universal group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4763 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created. Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4744(S): A security-disabled local group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4744 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed. Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4745(S): A security-disabled local group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4745 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group. Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4746(S): A member was added to a security-disabled local group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4746 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group. Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4747(S): A member was removed from a security-disabled local group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4747 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4748(S): A security-disabled local group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4748 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

90
windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
View File

@ -20,16 +20,15 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:
- IPsec services status.
- IPsec services status.
- Changes to IPsec policy settings.
- Changes to IPsec policy settings.
- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
- Changes to WFP providers and engine.
- Changes to WFP providers and engine.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
@ -41,83 +40,82 @@ This subcategory is outside the scope of this document.
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
## 4709(S): IPsec Services was started.
- 4709(S): IPsec Services was started.
## 4710(S): IPsec Services was disabled.
- 4710(S): IPsec Services was disabled.
## 4711(S): May contain any one of the following:
- 4711(S): May contain any one of the following:
## 4712(F): IPsec Services encountered a potentially serious failure.
- 4712(F): IPsec Services encountered a potentially serious failure.
## 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
- 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
## 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
- 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
## 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
- 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
## 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
- 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
## 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
- 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
## 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
- 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
## 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
- 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
## 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
- 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
## 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
- 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
## 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
- 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
## 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
- 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
## 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
- 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
## 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
- 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
## 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
- 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
## 5446(S): A Windows Filtering Platform callout has been changed.
- 5446(S): A Windows Filtering Platform callout has been changed.
## 5448(S): A Windows Filtering Platform provider has been changed.
- 5448(S): A Windows Filtering Platform provider has been changed.
## 5449(S): A Windows Filtering Platform provider context has been changed.
- 5449(S): A Windows Filtering Platform provider context has been changed.
## 5450(S): A Windows Filtering Platform sub-layer has been changed.
- 5450(S): A Windows Filtering Platform sub-layer has been changed.
## 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
- 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
## 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
- 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
## 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
- 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
## 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
- 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
## 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
- 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
## 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
- 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
## 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
- 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
## 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
- 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
## 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
- 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
## 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
- 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
## 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
- 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
## 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
- 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
## 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
- 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
## 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
- 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
## 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
- 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
## 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
- 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
## 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
## 5477(F): PAStore Engine failed to add quick mode filter.
- 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
- 5477(F): PAStore Engine failed to add quick mode filter.

14
windows/security/threat-protection/auditing/audit-handle-manipulation.md
View File

@ -20,24 +20,20 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
**Events List:**
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
## 4658(S): The handle to an object was closed.
This event doesnt generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
- 4658(S): The handle to an object was closed. For a description of the event, see _[4658](event-4658.md)(S): The handle to an object was closed._ in the Audit File System subcategory. This event doesnt generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it.

30
windows/security/threat-protection/auditing/audit-ipsec-driver.md
View File

@ -20,7 +20,6 @@ ms.date: 10/02/2018
- Windows 10
- Windows Server 2016
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
- Startup and shutdown of the IPsec services.
@ -37,9 +36,11 @@ Audit IPsec Driver allows you to audit events generated by IPSec driver such as
A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. This subcategory is outside the scope of this document.
This subcategory is outside the scope of this document.
**Event volume:** Medium
**Default:** Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
@ -47,25 +48,26 @@ This subcategory is outside the scope of this document.
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
**Events List:**
## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
- 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
- 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
- 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
- 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
## 5478(S): IPsec Services has started successfully.
- 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
## 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5478(S): IPsec Services has started successfully.
## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
- 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

19
windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
View File

@ -25,23 +25,22 @@ Audit IPsec Extended Mode allows you to audit events generated by Internet Key E
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
## 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 4979(S): IPsec Main Mode and Extended Mode security associations were established.
- 4979(S): IPsec Main Mode and Extended Mode security associations were established.
## 4980(S): IPsec Main Mode and Extended Mode security associations were established.
- 4980(S): IPsec Main Mode and Extended Mode security associations were established.
## 4981(S): IPsec Main Mode and Extended Mode security associations were established.
- 4981(S): IPsec Main Mode and Extended Mode security associations were established.
## 4982(S): IPsec Main Mode and Extended Mode security associations were established.
- 4982(S): IPsec Main Mode and Extended Mode security associations were established.
## 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
## 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

24
windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
View File

@ -20,32 +20,30 @@ ms.date: 10/02/2018
- Windows 10
- Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
## 4646(S): Security ID: %1
- 4646(S): Security ID: %1
## 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
- 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
## 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
- 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
## 4652(F): An IPsec Main Mode negotiation failed.
- 4652(F): An IPsec Main Mode negotiation failed.
## 4653(F): An IPsec Main Mode negotiation failed.
- 4653(F): An IPsec Main Mode negotiation failed.
## 4655(S): An IPsec Main Mode security association ended.
- 4655(S): An IPsec Main Mode security association ended.
## 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 5049(S): An IPsec Security Association was deleted.
## 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
- 5049(S): An IPsec Security Association was deleted.
- 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

12
windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
View File

@ -20,20 +20,18 @@ ms.date: 10/02/2018
- Windows 10
- Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
## 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 5451(S): An IPsec Quick Mode security association was established.
## 5452(S): An IPsec Quick Mode security association ended.
- 5451(S): An IPsec Quick Mode security association was established.
- 5452(S): An IPsec Quick Mode security association ended.

26
windows/security/threat-protection/auditing/audit-network-policy-server.md
View File

@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
@ -33,27 +32,26 @@ NAP events can be used to help understand the overall health of the network.
Role-specific subcategories are outside the scope of this document.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
## 6272: Network Policy Server granted access to a user.
- 6272: Network Policy Server granted access to a user.
## 6273: Network Policy Server denied access to a user.
- 6273: Network Policy Server denied access to a user.
## 6274: Network Policy Server discarded the request for a user.
- 6274: Network Policy Server discarded the request for a user.
## 6275: Network Policy Server discarded the accounting request for a user.
- 6275: Network Policy Server discarded the accounting request for a user.
## 6276: Network Policy Server quarantined a user.
- 6276: Network Policy Server quarantined a user.
## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
- 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
## 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
- 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
## 6280: Network Policy Server unlocked the user account.
- 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
- 6280: Network Policy Server unlocked the user account.

82
windows/security/threat-protection/auditing/audit-security-group-management.md
View File

@ -20,78 +20,86 @@ ms.date: 02/28/2019
- Windows 10
- Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
**Event volume**: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
- Security group is created, changed, or deleted.
- Security group is created, changed, or deleted.
- Member is added or removed from a security group.
- Member is added or removed from a security group.
- Group type is changed.
- Group type is changed.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4731](event-4731.md)(S): A security-enabled local group was created.
- [4731](event-4731.md)(S): A security-enabled local group was created.
- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
- [4734](event-4734.md)(S): A security-enabled local group was deleted.
- [4734](event-4734.md)(S): A security-enabled local group was deleted.
- [4735](event-4735.md)(S): A security-enabled local group was changed.
- [4735](event-4735.md)(S): A security-enabled local group was changed.
- [4764](event-4764.md)(S): A groups type was changed.
- [4764](event-4764.md)(S): A groups type was changed.
- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
**4727(S): A security-enabled global group was created.** See event “[4731](event-4731.md): A security-enabled local group was created. Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4727(S): A security-enabled global group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
> [!IMPORTANT]
> Event 4727(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
**4737(S): A security-enabled global group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed. Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4737(S): A security-enabled global group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
> [!IMPORTANT]
> Event 4737(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
**4728(S): A member was added to a security-enabled global group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group. Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4728(S): A member was added to a security-enabled global group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
> [!IMPORTANT]
> Event 4728(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
**4729(S): A member was removed from a security-enabled global group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group. Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4729(S): A member was removed from a security-enabled global group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
> [!IMPORTANT]
> Event 4729(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
**4730(S): A security-enabled global group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted. Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4730(S): A security-enabled global group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
> [!IMPORTANT]
> Event 4730(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
**4754(S): A security-enabled universal group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4754(S): A security-enabled universal group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
> [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
**4755(S): A security-enabled universal group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
> [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
**4756(S): A member was added to a security-enabled universal group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4756(S): A member was added to a security-enabled universal group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
> [!IMPORTANT]
> Event 4756(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
**4757(S): A member was removed from a security-enabled universal group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4757(S): A member was removed from a security-enabled universal group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
> [!IMPORTANT]
> Event 4757(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
**4758(S): A security-enabled universal group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
- 4758(S): A security-enabled universal group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
>[!IMPORTANT]
> Event 4758(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.

3
windows/security/threat-protection/auditing/audit-security-state-change.md
View File

@ -39,5 +39,6 @@ Audit Security State Change contains Windows startup, recovery, and shutdown eve
- [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.
>**Note**&nbsp;&nbsp;Event **4609(S): Windows is shutting down** currently doesnt generate. It is a defined event, but it is never invoked by the operating system.
>[!NOTE]
>Event **4609(S): Windows is shutting down** doesn't currently generate. It is a defined event, but it is never invoked by the operating system.

3
windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
View File

@ -71,6 +71,7 @@ If you configure this policy setting, an audit event is generated when sensitive
- [4985](event-4985.md)(S): The state of a transaction has changed.
>**Note**&nbsp;&nbsp;For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
>[!NOTE]
> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.

4
windows/security/threat-protection/intelligence/macro-malware.md
View File

@ -45,4 +45,6 @@ We've seen macro malware download threats from the following families:
* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).
For more general tips, see [prevent malware infection](prevent-malware-infection.md).

11
windows/security/threat-protection/intelligence/safety-scanner-download.md
View File

@ -23,13 +23,16 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)
> **NOTE** The security intelligence update version of the Microsoft Safety Scaner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).
> [!NOTE]
> The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
>
> **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
> [!NOTE]
> This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
> [!NOTE]
> Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
## System requirements

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -37,7 +37,7 @@ The following best practices serve as a guideline of query performance best prac
- When joining between two tables, project only needed columns from both sides of the join.
>[!Tip]
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
## Query tips and pitfalls

2
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -48,7 +48,7 @@ The goal is to remediate the issues in the security recommendations list to impr
- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
- **Remediation type** — **Configuration change** or **Software update**
See how you can [improve your security configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
View File

@ -33,7 +33,7 @@ You need to make sure that all your devices are enrolled in Intune. You can use
- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune]https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).

8
windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
View File

@ -47,7 +47,7 @@ You can create rules that determine the machines and alert severities to send em
2. Click **Add notification rule**.
3. Specify the General information:
3. Specify the General information:
- **Rule name** - Specify a name for the notification rule.
- **Include organization name** - Specify the customer name that appears on the email notification.
- **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
@ -93,9 +93,9 @@ This section lists various issues that you may encounter when using email notifi
**Solution:** Make sure that the notifications are not blocked by email filters:
1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.
1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.
## Related topics
- [Update data retention settings](data-retention-settings.md)

26
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
View File

@ -46,7 +46,7 @@ ms.date: 04/24/2018
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -98,7 +98,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -108,21 +108,21 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
9. Click **OK** and close any open GPMC windows.
9. Click **OK** and close any open GPMC windows.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
@ -132,9 +132,9 @@ For security reasons, the package used to Offboard machines will expire 30 days
With Group Policy there isnt an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor machines using the portal
1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
> [!NOTE]
> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.

4
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
View File

@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -113,7 +113,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.

10
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
View File

@ -93,7 +93,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
@ -127,11 +127,11 @@ You can follow the different verification steps in the [Troubleshoot onboarding
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor machines using the portal
1. Go to Microsoft Defender Security Center.
1. Go to Microsoft Defender Security Center.
2. Click **Machines list**.
2. Click **Machines list**.
3. Verify that machines are appearing.
3. Verify that machines are appearing.
## Related topics

4
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -65,11 +65,11 @@ From the overview, create a configuration profile specifically for the deploymen
3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
![Profile assignment screen screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
![Profile assignment screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
*Assigning the new agent profile to all machines*
>[!TIP]
>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-profile-assign).
>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/device-profile-assign).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

6
windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
View File

@ -47,13 +47,13 @@ In doing so, you benefit from:
Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
>[!NOTE]
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign).
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
>[!TIP]
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
## Known issues and limitations in this preview
During preview, you might encounter a few known limitations:

1
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -172,6 +172,7 @@ If at least one of the connectivity options returns a (200) status, then the Mic
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
> [!NOTE]
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Related topics

8
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -104,14 +104,14 @@ The following steps are required to enable this integration:
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
- [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
Once completed, you should see onboarded servers in the portal within an hour.
@ -149,7 +149,7 @@ Supported tools include:
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
2. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
2. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

10
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -28,13 +28,13 @@ Create custom detection rules from [Advanced hunting](overview-hunting.md) queri
>[!NOTE]
>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
1. In the navigation pane, select **Advanced hunting**.
1. In the navigation pane, select **Advanced hunting**.
2. Select an existing query that you'd like to base the monitor on or create a new query.
2. Select an existing query that you'd like to base the monitor on or create a new query.
3. Select **Create detection rule**.
3. Select **Create detection rule**.
4. Specify the alert details:
4. Specify the alert details:
- Alert title
- Severity
@ -42,7 +42,7 @@ Create custom detection rules from [Advanced hunting](overview-hunting.md) queri
- Description
- Recommended actions
5. Click **Create**.
5. Click **Create**.
> [!TIP]
> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.<br>

6
windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md
View File

@ -141,11 +141,11 @@ This step will guide you in simulating an event in connection to a malicious IP
## Step 4: Explore the custom alert in the portal
This step will guide you in exploring the custom alert in the portal.
1. Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser.
1. Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser.
2. Log in with your Microsoft Defender ATP credentials.
2. Log in with your Microsoft Defender ATP credentials.
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png)

2
windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
View File

@ -83,7 +83,7 @@ Use the slider or the range selector to quickly specify a time period that you w
## Deep analysis
The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
![Image of deep analysis tab](images/submit-file.png)

36
windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
View File

@ -130,25 +130,25 @@ For more information, see [Create a Power BI dashboard from a report](https://po
You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
### Before you begin
1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
![Image of settings Power BI reports](images/atp-settings-powerbi.png)
3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
![Settings with download connector button](images/atp-download-connector.png)
4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.
4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
6. Open Power BI Desktop.
7. Click **File** > **Options and settings** > **Custom data connectors**.
7. Click **File** > **Options and settings** > **Custom data connectors**.
8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
>[!NOTE]
>If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
@ -160,36 +160,36 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
## Customize the Microsoft Defender ATP Power BI dashboard
After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
2. If this is the first time youre using Power BI with Microsoft Defender ATP, youll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, youre allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
2. If this is the first time youre using Power BI with Microsoft Defender ATP, youll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, youre allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
![Consent image](images/atp-powerbi-consent.png)
3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
## Mashup Microsoft Defender ATP data with other data sources
You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.
1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
2. Click **Connect**.
3. On the Preview Connector windows, click **Continue**.
3. On the Preview Connector windows, click **Continue**.
4. If this is the first time youre using Power BI with Microsoft Defender ATP, youll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, youre allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
4. If this is the first time youre using Power BI with Microsoft Defender ATP, youll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, youre allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
![Consent image](images/atp-powerbi-consent.png)
5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
8. Add visuals and select fields from the available data sources.
## Using the Power BI reports
There are a couple of tabs on the report that's generated:

2
windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
View File

@ -173,7 +173,7 @@ Here is an example return value:
### Get access token
The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API.
```syntax
```csharp
AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId));
ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials);

12
windows/security/threat-protection/microsoft-defender-atp/python-example-code.md
View File

@ -39,7 +39,7 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Settings** page in the portal:
```
```python
import json
import requests
from pprint import pprint
@ -62,7 +62,7 @@ token = json.loads(response.text)["access_token"]
## Step 2: Create request session object
Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
```
```python
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
@ -74,7 +74,7 @@ with requests.Session() as session:
## Step 3: Create calls to the custom threat intelligence API
After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
```
```python
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
```
@ -85,7 +85,7 @@ The response is empty on initial use of the API.
## Step 4: Create a new alert definition
The following example demonstrates how you to create a new alert definition.
```
```python
alert_definition = {"Name": "The alert's name",
"Severity": "Low",
"InternalDescription": "An internal description of the alert",
@ -104,7 +104,7 @@ The following example demonstrates how you to create a new alert definition.
## Step 5: Create a new indicator of compromise
You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
```
```python
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
@ -121,7 +121,7 @@ You can now use the alert ID obtained from creating a new alert definition to cr
## Complete code
You can use the complete code to create calls to the API.
```syntax
```python
import json
import requests
from pprint import pprint

4
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
View File

@ -27,7 +27,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
## Before you begin:
1. Create an [event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant.
1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
## Enable raw data streaming:
@ -86,4 +86,4 @@ To get the data types for event properties do the following:
- [Overview of Advanced Hunting](overview-hunting.md)
- [Microsoft Defender ATP streaming API](raw-data-export.md)
- [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)

4
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
View File

@ -27,7 +27,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
## Before you begin:
1. Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant.
1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
## Enable raw data streaming:
@ -86,4 +86,4 @@ In order to get the data types for our events properties do the following:
- [Overview of Advanced Hunting](overview-hunting.md)
- [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md)
- [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md)
- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
- [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)

6
windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
View File

@ -27,7 +27,7 @@ ms.topic: article
## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/).
Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
## In this section
@ -39,5 +39,5 @@ Topic | Description
## Related topics
- [Overview of Advanced Hunting](overview-hunting.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)
- [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)

2
windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
View File

@ -170,7 +170,7 @@ The Deep analysis summary includes a list of observed *behaviors*, some of which
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the the file's profile page.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

10
windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
View File

@ -103,11 +103,11 @@ Machines are considered "well configured" for Windows Defender EG if the followi
##### System level protection:
The following system level configuration settings must be set to **On or Force On**:
1. Control Flow Guard
2. Data Execution Prevention (DEP)
3. Randomize memory allocations (Bottom-up ASLR)
4. Validate exception chains (SEHOP)
5. Validate heap integrity
1. Control Flow Guard
2. Data Execution Prevention (DEP)
3. Randomize memory allocations (Bottom-up ASLR)
4. Validate exception chains (SEHOP)
5. Validate heap integrity
>[!NOTE]
>The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.

2
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -118,7 +118,7 @@ Security Administrators like you can request for the IT Administrator to remedia
4. Go to the **Remediation** page to view the status of your remediation request.
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details.
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.

6
windows/security/threat-protection/microsoft-defender-atp/time-settings.md
View File

@ -56,9 +56,9 @@ The Microsoft Defender ATP time zone is set by default to UTC.
Setting the time zone also changes the times for all Microsoft Defender ATP views.
To set the time zone:
1. Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png).
2. Select the **Timezone UTC** indicator.
3. Select **Timezone UTC** or your local time zone, for example -7:00.
1. Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png).
2. Select the **Timezone UTC** indicator.
3. Select **Timezone UTC** or your local time zone, for example -7:00.
### Regional settings
To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser.

10
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
View File

@ -29,7 +29,7 @@ This page provides detailed steps to troubleshoot live response issues.
## File cannot be accessed during live response sessions
If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you'll need to use the steps below to address the issue.
1. Copy the following script code snippet and save it as a PS1 file:
1. Copy the following script code snippet and save it as a PS1 file:
```
$copied_file_path=$args[0]
@ -47,10 +47,10 @@ If while trying to take an action during a live response session, you encounter
```
2. Add the script to the live response library.
3. Run the script with one parameter: the file path of the file to be copied.
4. Navigate to your TEMP folder.
5. Run the action you wanted to take on the copied file.
2. Add the script to the live response library.
3. Run the script with one parameter: the file path of the file to be copied.
4. Navigate to your TEMP folder.
5. Run the action you wanted to take on the copied file.

38
windows/security/threat-protection/microsoft-defender-atp/user-roles.md
View File

@ -28,11 +28,11 @@ ms.topic: article
## Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
1. In the navigation pane, select **Settings > Roles**.
1. In the navigation pane, select **Settings > Roles**.
2. Click **Add role**.
2. Click **Add role**.
3. Enter the role name, description, and permissions you'd like to assign to the role.
3. Enter the role name, description, and permissions you'd like to assign to the role.
- **Role name**
- **Description**
@ -49,23 +49,23 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
- **Live response capabilities** - Users can take basic or advanced live response commands. <br>
- Basic commands allow users to:
- Start a live response session
- Run read only live response commands on a remote machine
- Start a live response session
- Run read only live response commands on a remote machine
- Advanced commands allow users to:
- Run basic actions
- Download a file from the remote machine
- View a script from the files library
- Run a script on the remote machine from the files library take read and write commands.
- Run basic actions
- Download a file from the remote machine
- View a script from the files library
- Run a script on the remote machine from the files library take read and write commands.
For more information on the available commands, see [Investigate machines using Live response](live-response.md).
4. Click **Next** to assign the role to an Azure AD group.
4. Click **Next** to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
6. Click **Save and close**.
6. Click **Save and close**.
7. Apply the configuration settings.
7. Apply the configuration settings.
After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.
@ -73,19 +73,19 @@ After creating roles, you'll need to create a machine group and provide access t
## Edit roles
1. Select the role you'd like to edit.
1. Select the role you'd like to edit.
2. Click **Edit**.
2. Click **Edit**.
3. Modify the details or the groups that are assigned to the role.
3. Modify the details or the groups that are assigned to the role.
4. Click **Save and close**.
4. Click **Save and close**.
## Delete roles
1. Select the role you'd like to delete.
1. Select the role you'd like to delete.
2. Click the drop-down button and select **Delete role**.
2. Click the drop-down button and select **Delete role**.
## Related topic

16
windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
View File

@ -111,11 +111,11 @@ Audit only mode configures the SAMRPC protocol to do the access check against th
### Related events
There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM:
1. Dump event logs to a common share.
2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script.
3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM.
4. Identify which security contexts are enumerating users or groups in the SAM database.
5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
1. Dump event logs to a common share.
2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script.
3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM.
4. Identify which security contexts are enumerating users or groups in the SAM database.
5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
|Event ID|Event Message Text|Explanation |
|---|---|---|
@ -152,9 +152,9 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans. <br><br>
The following example illustrates how an attacker might exploit remote SAM enumeration:
1. A low-privileged attacker gains a foothold on a network.
2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine.
3. If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.
1. A low-privileged attacker gains a foothold on a network.
2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine.
3. If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.
### Countermeasure
You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access.

12
windows/security/threat-protection/windows-10-mobile-security-guide.md
View File

@ -278,12 +278,12 @@ You can use DHA with Microsoft Intune (sold separately) or a third-party MDM sol
The example that follows shows how Windows 10 protective measures integrate and work with Intune and third-party MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile can help you monitor and verify compliance and how the security and trust rooted in the device hardware can protect end-to-end corporate resources.
When a user turns a phone on:
1. The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader.
2. Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process.
3. In parallel to steps 1 and 2, the phones TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access.
4. Devices that are DHA-enabled send a copy of this audit trail to the Microsoft Health Attestation service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
5. HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device.
6. From your DHA-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organizations security needs and policies.
1. The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader.
2. Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process.
3. In parallel to steps 1 and 2, the phones TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access.
4. Devices that are DHA-enabled send a copy of this audit trail to the Microsoft Health Attestation service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
5. HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device.
6. From your DHA-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organizations security needs and policies.
Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a DHA-enabled MDM system like Intune. It can take advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware.
### <a href="" id="device-guard"></a>Device Guard

6
windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -57,7 +57,7 @@ As a cloud service, it is required that computers have access to the internet an
| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com|
| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com|
## Validate connections between your network and the cloud
@ -68,7 +68,7 @@ After whitelisting the URLs listed above, you can test if you are connected to t
Use the following argument with the Windows Defender Antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
```DOS
MpCmdRun -ValidateMapsConnection
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
```
> [!NOTE]
@ -81,7 +81,7 @@ See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](c
You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud.
Download the file by visiting the following link:
- http://aka.ms/ioavtest
- https://aka.ms/ioavtest
>[!NOTE]
>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.

78
windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
View File

@ -59,43 +59,43 @@ You can set this feature with Intune, Group Policy, or PowerShell.
Open the Intune management portal either by searching for Intune on https://portal.azure.com or going to https://devicemanagement.microsoft.com and logging in.
1. To create a group with only the devices or users you specify:
1. Go to **Groups**. Click **New group**. Use the following values:
1. Group type: **Security**
2. Group name: **VDI test VMs**
3. Group description: *Optional*
4. Membership type: **Assigned**
1. To create a group with only the devices or users you specify:
1. Go to **Groups**. Click **New group**. Use the following values:
1. Group type: **Security**
2. Group name: **VDI test VMs**
3. Group description: *Optional*
4. Membership type: **Assigned**
1. Add the devices or users you want to be a part of this test and then click **Create** to save the group. Its a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
1. Add the devices or users you want to be a part of this test and then click **Create** to save the group. Its a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
1. To create a group that will include any machine in your tenant that is a VM, even when they are newly created:
1. To create a group that will include any machine in your tenant that is a VM, even when they are newly created:
1. Go to **Groups**. Click **New group**. Use the following values:
1. Group type: **Security**
2. Group name: **VDI test VMs**
3. Group description: *Optional*
4. Membership type: **Dynamic Device**
1. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. Click **Add query** and then **Create** to save the group.
1. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. In this demo Im going to create a new one by clicking **Create profile**.
1. Name it, choose **Windows 10 and later** as the Platform and most importantly select **Custom** as the profile type.
1. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
1. Name: **VDI shared sig location**
1. Description: *Optional*
1. OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
1. Data type: **String**
1. Value: **\\<sharedlocation\>\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
1. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. Click **Create** to save the new profile. The profile details page now appears.
1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesnt make sense, go back to the groups blade and confirm the group contains the right users or devices.
1. The profile will now be deployed to the impacted devices. Note that this may take some time.
1. Go to **Groups**. Click **New group**. Use the following values:
1. Group type: **Security**
2. Group name: **VDI test VMs**
3. Group description: *Optional*
4. Membership type: **Dynamic Device**
1. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. Click **Add query** and then **Create** to save the group.
1. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. In this demo Im going to create a new one by clicking **Create profile**.
1. Name it, choose **Windows 10 and later** as the Platform and most importantly select **Custom** as the profile type.
1. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
1. Name: **VDI shared sig location**
1. Description: *Optional*
1. OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
1. Data type: **String**
1. Value: **\\<sharedlocation\>\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
1. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. Click **Create** to save the new profile. The profile details page now appears.
1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesnt make sense, go back to the groups blade and confirm the group contains the right users or devices.
1. The profile will now be deployed to the impacted devices. Note that this may take some time.
#### Use Group Policy to enable the shared security intelligence feature:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
1. In the **Group Policy Management Editor** go to **Computer configuration**.
1. Click **Administrative templates**.
1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\<sharedlocation\>\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
1. Deploy the GPO to the VMs you want to test.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
1. In the **Group Policy Management Editor** go to **Computer configuration**.
1. Click **Administrative templates**.
1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\<sharedlocation\>\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
1. Deploy the GPO to the VMs you want to test.
#### Use PowerShell to enable the shared security intelligence feature:
Use the following cmdlet to enable the feature. Youll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
@ -128,9 +128,9 @@ We suggest starting with once a day but you should experiment with increasin
Note that security intelligence packages are typically published once every three to four hours, so setting a frequency shorter than four hours isnt advised as it will increase the network overhead on your management machine for no benefit.
#### Set a scheduled task to run the powershell script
1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
1. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
1. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter
1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
1. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
1. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter
*-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1*
@ -141,10 +141,10 @@ You can initiate the update manually by right-clicking on the task and clicking
#### Download and unpackage manually
If you would prefer to do everything manually, this what you would need to do to replicate the scripts behavior:
1. Create a new folder on the system root called *wdav_update* to store intelligence updates, for example, create the folder *c:\wdav_update*
1. Create a subfolder under *wdav_update* with a GUID name, such as *{00000000-0000-0000-0000-000000000000}*; for example *c:\wdav_update\{00000000-0000-0000-0000-000000000000}* (note, in the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time)
1. Download a security intelligence package from https://www.microsoft.com/en-us/wdsi/definitions into the GUID folder. The file should be named *mpam-fe.exe*.
1. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example **mpam-fe.exe /X**.
1. Create a new folder on the system root called *wdav_update* to store intelligence updates, for example, create the folder *c:\wdav_update*
1. Create a subfolder under *wdav_update* with a GUID name, such as *{00000000-0000-0000-0000-000000000000}*; for example *c:\wdav_update\{00000000-0000-0000-0000-000000000000}* (note, in the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time)
1. Download a security intelligence package from https://www.microsoft.com/en-us/wdsi/definitions into the GUID folder. The file should be named *mpam-fe.exe*.
1. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example **mpam-fe.exe /X**.
Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
### Randomize scheduled scans

4
windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -38,8 +38,8 @@ If Windows Defender Antivirus did not download protection updates for a specifie
2. Go to the **Definition updates** section and configure the following settings:
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
3. Click **OK**.

4
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md
View File

@ -34,7 +34,7 @@ If you decide to deploy updates by using your software distribution tools, you s
## Use msupdate
MAU includes a command line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate).
MAU includes a command line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate).
In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window:
@ -141,4 +141,4 @@ To configure MAU, you can deploy this configuration profile from the management
## Resources
- [msupdate reference](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate)
- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate)

2
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
View File

@ -53,7 +53,7 @@ In order for devices to properly show up in Update Compliance, you have to meet
> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
“You can use Windows Defender Antivirus with Update Compliance. Youll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
“You can use Windows Defender Antivirus with Update Compliance. Youll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.

4
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -24,9 +24,9 @@ manager: dansimp
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself.
If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode.
If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender AV.
The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Microsoft Defender ATP are also used.

10
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
View File

@ -38,6 +38,16 @@ You can configure and manage Windows Defender Antivirus with:
- Windows Management Instrumentation (WMI)
- Group Policy
>[!TIP]
>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
>- Cloud-delivered protection
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
> [!NOTE]
> For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp).
=======
<a id="sysreq"></a>
## Minimum system requirements

2
windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
View File

@ -123,7 +123,7 @@ See the following for more information:
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
3. Select **Windows Defender Offline scan** and click **Scan now**.
3. Select **Windows Defender Offline scan** and click **Scan now**.
> [!NOTE]

1
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -16,6 +16,7 @@ ms.date: 05/21/2019
- Windows 10
- Windows Server 2016
- Windows Server 2019
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

2
windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
View File

@ -27,7 +27,7 @@ This topic explains the differences between allow and deny actions on AppLocker
## Allow action versus deny action on rules
Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied.
Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This **block by default, allow by exception** configuration makes it easier to determine what will occur when an AppLocker rule is applied.
You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file.

6
windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
View File

@ -77,13 +77,13 @@ Use the following procedure after you have been running a computer with a WDAC p
2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**:
` $CIPolicyPath=$env:userprofile+"\Desktop\"`
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
`$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy UserPEs 3> CIPolicylog.txt`
`New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy UserPEs 3> CIPolicylog.txt`
> [!NOTE]
> When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.

6
windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
View File

@ -40,11 +40,11 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
` $CIPolicyPath=$env:userprofile+"\Desktop\"`
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
`$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications:

20
windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
View File

@ -41,7 +41,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
2. Start Package Inspector, and then start scanning a local drive, for example, drive C:
` PackageInspector.exe Start C:`
`PackageInspector.exe Start C:`
> [!NOTE]
> Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer.
@ -69,13 +69,13 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:.
` $ExamplePath=$env:userprofile+"\Desktop"`
`$ExamplePath=$env:userprofile+"\Desktop"`
` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
`$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
` $CatDefName=$ExamplePath+"\LOBApp.cdf"`
`$CatDefName=$ExamplePath+"\LOBApp.cdf"`
` PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
`PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
> **Note**&nbsp;&nbsp;Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries hash values.
@ -116,15 +116,15 @@ To sign the existing catalog file, copy each of the following commands into an e
1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed:
` $ExamplePath=$env:userprofile+"\Desktop"`
`$ExamplePath=$env:userprofile+"\Desktop"`
` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
`$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing users personal store.
3. Sign the catalog file with Signtool.exe:
` <path to signtool.exe> sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName`
`<path to signtool.exe> sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName`
> **Note**&nbsp;&nbsp;The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
>
@ -148,14 +148,14 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
` New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml UserPEs`
`New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml UserPEs`
> [!NOTE]
> Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
3. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
` Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User `
`Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User`
If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).

8
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -22,12 +22,12 @@ ms.date: 05/17/2019
The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
1. Enforce and Audit Side-by-Side
1. Enforce and Audit Side-by-Side
- To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
2. Multiple Base Policies
2. Multiple Base Policies
- Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
- If two base policies exist on a device, an application has to be allowed by both to run
3. Supplemental Policies
3. Supplemental Policies
- Users can deploy one or more supplemental policies to expand a base policy
- A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy
- For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run
@ -85,7 +85,7 @@ In order to deploy policies using the new multiple policy format you will need t
- Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active
2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip
- Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy
- For example if the policy XML had the ID as <PolicyID>{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</PolicyID> the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
- For example if the policy XML had the ID as `<PolicyID>{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</PolicyID>` the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
3. Reboot the system or use WMI to rebootlessly refresh the policy
```powershell

18
windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
View File

@ -28,13 +28,13 @@ Every WDAC policy is created with audit mode enabled. After you have successfull
1. Initialize the variables that will be used:
` $CIPolicyPath=$env:userprofile+"\Desktop\"`
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" `
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
` $EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
`$EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
`$CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
> [!NOTE]
> The initial WDAC policy that this section refers to was created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are using a different WDAC policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
@ -43,23 +43,23 @@ Every WDAC policy is created with audit mode enabled. After you have successfull
To ensure that these options are enabled in a policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect.
` Set-RuleOption -FilePath $InitialCIPolicy -Option 9`
`Set-RuleOption -FilePath $InitialCIPolicy -Option 9`
` Set-RuleOption -FilePath $InitialCIPolicy -Option 10`
`Set-RuleOption -FilePath $InitialCIPolicy -Option 10`
3. Copy the initial file to maintain an original copy:
` copy $InitialCIPolicy $EnforcedCIPolicy`
`copy $InitialCIPolicy $EnforcedCIPolicy`
4. Use Set-RuleOption to delete the audit mode rule option:
` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
`Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
> [!NOTE]
> To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy.
5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary format:
` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
`ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
Now that this policy is in enforced mode, you can deploy it to your test computers. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). You can also use other client management software to deploy and manage the policy.

14
windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
View File

@ -30,26 +30,26 @@ To merge two WDAC policies, complete the following steps in an elevated Windows
1. Initialize the variables that will be used:
` $CIPolicyPath=$env:userprofile+"\Desktop\"`
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
` $AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
`$AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
` $MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
`$MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
`$CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
> [!NOTE]
> The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly.
2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy:
` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
`Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the merged WDAC policy to binary format:
` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin `
`ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin`
Now that you have created a new WDAC policy, you can deploy the policy binary to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).

4
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -36,13 +36,13 @@ To modify the policy rule options of an existing WDAC policy, use [Set-RuleOptio
- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
` Set-RuleOption -FilePath <Path to policy> -Option 0`
`Set-RuleOption -FilePath <Path to policy> -Option 0`
Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Windows Defender Application Control will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option.
- To disable UMCI on an existing WDAC policy, delete rule option 0 by running the following command:
` Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`
`Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`
You can set several rule options within a WDAC policy. Table 2 describes each rule option.

16
windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
View File

@ -43,11 +43,11 @@ If you do not have a code signing certificate, see the [Optional: Create a code
1. Initialize the variables that will be used:
` $CIPolicyPath=$env:userprofile+"\Desktop\"`
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
`$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
> [!NOTE]
> This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
@ -58,11 +58,11 @@ If you do not have a code signing certificate, see the [Optional: Create a code
4. Navigate to your desktop as the working directory:
` cd $env:USERPROFILE\Desktop `
`cd $env:USERPROFILE\Desktop`
5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
`Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
> [!NOTE]
> \<Path to exported .cer certificate> should be the full path to the certificate that you exported in step 3.
@ -70,15 +70,15 @@ If you do not have a code signing certificate, see the [Optional: Create a code
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
`Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
`ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
8. Sign the WDAC policy by using SignTool.exe:
` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
`<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.

16
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -45,11 +45,11 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
1. Initialize the variables that will be used:
` $CIPolicyPath=$env:userprofile+"\Desktop\"`
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
`$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
> [!NOTE]
> This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
@ -60,11 +60,11 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
4. Navigate to your desktop as the working directory:
` cd $env:USERPROFILE\Desktop `
`cd $env:USERPROFILE\Desktop`
5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
`Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
> [!NOTE]
> *&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
@ -72,15 +72,15 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
`Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
`ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
8. Sign the WDAC policy by using SignTool.exe:
` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
`<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.

3
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
View File

@ -98,3 +98,6 @@ Modern apps are not supported with the ISG heuristic and will need to be separat
The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases.
>[!NOTE]
> A rule that explicitly allows an application will take precedence over the ISG rule that does not allow it. In this scenario, this policy is not compatible with Intune, where there is no option to add rules to the template that enables ISG. In most circumstances you would need to build a custom WDAC policy, including ISG if desired.

5
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
View File

@ -29,7 +29,7 @@ A managed installer helps an IT admin balance security and manageability require
## How does a managed installer work?
A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment.
Specifying an executable as a managed installer will cause Windows to tag files that are written from the executables process (or processes it launches) as having originated from a trusted installation authority.
Specifying an executable as a managed installer will cause Windows to tag files that are written from the executables process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies.
Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.+
@ -49,10 +49,11 @@ There are three primary steps to keep in mind:
### Specify managed installers using the Managed Installer rule collection in AppLocker policy
The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection.
Currently the AppLocker policy creation UI and cmdlets do not allow for directly specifying rules for the Managed Installer rule collection, however a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller".
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
An example of a valid Managed Installer rule collection is shown below.
For more information about creating an AppLocker policy that includes a managed installer and configuring client devices, see [Simplify application whitelisting with Configuration Manager and Windows 10](https://cloudblogs.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/).
As mentioned above, the AppLocker CSP for OMA-URI policies does not currently support the Managed Installer rule collection or the Service Enforcement rule extensions mentioned below.
```code

4
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -42,7 +42,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|-----------|------------------|-----------|-------|
|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
@ -50,3 +50,5 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.<br><br></ul>**Important**<br>Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<br><br></ul>**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<br><br></ul>**Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.|
|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.<br><br></ul>**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.|

72
windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -29,11 +29,11 @@ You can see how an employee would use standalone mode with Application Guard.
1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
![New Application Guard window setting option](images/appguard-new-window.png)
3. Wait for Application Guard to set up the isolated environment.
3. Wait for Application Guard to set up the isolated environment.
>[!NOTE]
>Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
@ -108,13 +108,13 @@ You have the option to change each of these settings to work with your enterpris
#### Copy and paste options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
2. Click **Enabled** and click **OK**.
2. Click **Enabled** and click **OK**.
![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
3. Choose how the clipboard works:
3. Choose how the clipboard works:
- Copy and paste from the isolated session to the host PC
@ -122,7 +122,7 @@ You have the option to change each of these settings to work with your enterpris
- Copy and paste both directions
4. Choose what can be copied:
4. Choose what can be copied:
- **1.** Only text can be copied between the host PC and the isolated container.
@ -130,33 +130,33 @@ You have the option to change each of these settings to work with your enterpris
- **3.** Both text and images can be copied between the host PC and the isolated container.
5. Click **OK**.
5. Click **OK**.
#### Print options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
2. Click **Enabled** and click **OK**.
2. Click **Enabled** and click **OK**.
![Group Policy editor Print options](images/appguard-gp-print.png)
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
4. Click **OK**.
#### Data persistence options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
2. Click **Enabled** and click **OK**.
![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
The website opens in the isolated session.
4. Add the site to your **Favorites** list and then close the isolated session.
4. Add the site to your **Favorites** list and then close the isolated session.
5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
@ -171,29 +171,29 @@ You have the option to change each of these settings to work with your enterpris
#### Download options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
2. Click **Enabled** and click **OK**.
![Group Policy editor Download options](images/appguard-gp-download.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Windows Defender Application Guard.
4. Download a file from Windows Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
#### Hardware acceleration options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
2. Click **Enabled** and click **OK**.
![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
4. Assess the visual experience and battery performance.
4. Assess the visual experience and battery performance.
**Applies to:**
- Windows 10 Enterpise edition, version 1809
@ -201,39 +201,39 @@ You have the option to change each of these settings to work with your enterpris
#### File trust options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting.
2. Click **Enabled**, set **Options** to 2, and click **OK**.
2. Click **Enabled**, set **Options** to 2, and click **OK**.
![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open a file in Edge, such an Office 365 file.
4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
5. Check to see that an antivirus scan completed before the file was opened.
#### Camera and microphone options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
2. Click **Enabled** and click **OK**.
![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
5. Check that the camera and microphone work as expected.
#### Root certificate sharing options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.

82
windows/security/threat-protection/windows-defender-atp/overview-secure-score.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Overview of Secure score in Windows Defender Security Center
description: Expand your visibility into the overall security posture of your organization
keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/03/2018
---
# Overview of Secure score in Windows Defender Security Center
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
>[!IMPORTANT]
> This feature is available for machines on Windows 10, version 1703 or later.
The **Secure score dashboard** displays a snapshot of:
- Microsoft secure score
- Secure score over time
- Top recommendations
- Improvement opportunities
![Secure score dashboard](images/new-secure-score-dashboard.png)
## Microsoft secure score
The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
![Image of Microsoft secure score tile](images/mss.png)
Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
In the example image, the total points for the Windows security controls and Office 365 add up to 602 points.
You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md).
## Secure score over time
You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. The expected update schedule for Secure Score is about 24 hours. In some cases, depending of the size of the organization, number of computers and other factors, this update can take up to 72 hours.
![Image of the security score over time tile](images/new-ssot.png)
You can mouse over specific date points to see the total score for that security control is on a specific date.
## Top recommendations
Reflects specific actions you can take to significantly increase the security stance of your organization and how many points will be added to the secure score if you take the recommended action.
![Top recommendations tile](images/top-recommendations.png)
## Improvement opportunities
Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to reflect the list of machines where improvements can be made.
![Improvement opportunities](images/io.png)
Within the tile, you can click on each control to see the recommended optimizations.
Clicking the link under the Misconfigured machines column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
## Related topic
- [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)

28
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -114,6 +114,8 @@ This rule blocks the following file types from launching from email in Microsoft
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
SCCM name: Block executable content from email client and webmail
@ -126,6 +128,8 @@ This rule blocks Office apps from creating child processes. This includes Word,
This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Office apps launching child processes
SCCM name: Block Office application from creating child processes
@ -138,6 +142,8 @@ This rule prevents Office apps, including Word, Excel, and PowerPoint, from crea
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Office apps/macros creating executable content
SCCM name: Block Office applications from creating executable content
@ -150,6 +156,8 @@ Attackers might attempt to use Office apps to migrate malicious code into other
This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Office apps injecting code into other processes (no exceptions)
SCCM name: Block Office applications from injecting code into other processes
@ -165,6 +173,8 @@ Malware written in JavaScript or VBS often acts as a downloader to fetch and lau
>[!IMPORTANT]
>File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
@ -175,6 +185,8 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Obfuscated js/vbs/ps/macro code
SCCM name: Block execution of potentially obfuscated scripts.
@ -185,6 +197,8 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Win32 imports from Office macro code
SCCM name: Block Win32 API calls from Office macros
@ -205,6 +219,8 @@ This rule blocks the following file types from launching unless they either meet
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
@ -218,6 +234,8 @@ This rule provides an extra layer of protection against ransomware. It scans exe
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Advanced ransomware protection
SCCM name: Use advanced protection against ransomware
@ -230,6 +248,8 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
>[!NOTE]
>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Flag credential stealing from the Windows local security authority subsystem
@ -247,6 +267,8 @@ This rule blocks processes through PsExec and WMI commands from running, to prev
>[!WARNING]
>Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Process creation from PSExec and WMI commands
SCCM name: Not applicable
@ -260,6 +282,8 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Untrusted and unsigned processes that run from USB
SCCM name: Block untrusted and unsigned processes that run from USB
@ -273,6 +297,8 @@ This rule prevents Outlook from creating child processes. It protects against so
>[!NOTE]
>This rule applies to Outlook and Outlook.com only.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
Intune name: Process creation from Office communication products (beta)
SCCM name: Not yet available
@ -283,6 +309,8 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
Intune name: Process creation from Adobe Reader (beta)
SCCM name: Not applicable

2
windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
View File

@ -105,7 +105,7 @@ An allowed application or service only has write access to a controlled folder a
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
4. Click **Add an allowed app** and follow the prompts to add apps.

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -50,7 +50,7 @@ You can [export these settings as an XML file](import-export-exploit-protection-
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
@ -100,7 +100,7 @@ CFG will be enabled for *miles.exe*.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:

13
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -26,7 +26,7 @@ This can cause devices or software to malfunction and in rare cases may result i
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
>[!NOTE]
>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*.
>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE.
>[!TIP]
> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisors software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
@ -177,11 +177,14 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG
Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
` Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windows\DeviceGuard`
`Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windows\DeviceGuard`
> [!NOTE]
> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
> [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709.
The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
#### AvailableSecurityProperties
@ -275,9 +278,9 @@ C. If you experience a critical error during boot or your system is unstable aft
## How to turn off HVCI on the Windows 10 Fall Creators Update
1. Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
2. Restart the device.
3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
1. Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
2. Restart the device.
3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
## HVCI deployment in virtual machines

2
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -44,7 +44,7 @@ You can set mitigations in audit mode for specific programs either by using the
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:

8
windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
View File

@ -70,6 +70,9 @@ When you have configured exploit protection to your desired state (including bot
Change `filename` to any name or location of your choosing.
Example command
**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
@ -91,6 +94,10 @@ After importing, the settings will be instantly applied and can be reviewed in t
Change `filename` to the location and name of the exploit protection XML file.
Example command
**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
>[!IMPORTANT]
>
>Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
@ -151,6 +158,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
- C:\MitigationSettings\Config.XML
- \\\Server\Share\Config.xml
- https://localhost:8080/Config.xml
- C:\ExploitConfigfile.xml
8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).

3
windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
View File

@ -24,5 +24,6 @@ manager: dansimp
Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016.
> [!NOTE]
> For more information, see [Device protection in Windows Defender Security Center](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).

2
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
View File

@ -130,7 +130,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Remove-All-SystemMitigations
```
2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
```xml
<?xml version="1.0" encoding="UTF-8"?>

10
windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
View File

@ -20,7 +20,7 @@ manager: dansimp
**Applies to**
- Windows 10, version 1709 and later
- Windows 10, version 1809 and above
**Audience**
@ -54,13 +54,13 @@ This can only be done in Group Policy.
>[!IMPORTANT]
>### Requirements
>
>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
>You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Security > Notifications**.
5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**
6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
@ -76,13 +76,13 @@ This can only be done in Group Policy.
>[!IMPORTANT]
>### Requirements
>
>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
>You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Security > Notifications**.
5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.

2
windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
View File

@ -57,6 +57,8 @@ When Windows Defender SmartScreen warns or blocks an employee from a website, it
## Viewing Windows event logs for SmartScreen
SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
> [!NOTE]
> For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1).
|EventID | Description |
| :---: | :---: |

2
windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
View File

@ -93,7 +93,7 @@ All other endpoints that do not meet the previously stated criteria are consider
**To configure a GPO that defines your intranet address space**
1. Open the Group Policy Management snap-in (gpmc.msc) and edit the Default Domain Policy.
1. Open the Group Policy Management snap-in (gpmc.msc), right click on the Group Policy you want to use to define your address space, and select **Edit**.
2. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Administrative Templates**, expand **Network**, and click **Network Isolation**.

2
windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
View File

@ -43,7 +43,7 @@ Microsoft recommends using [the rings methodology](https://docs.microsoft.com/wi
|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Account Lockout | Account Lockout Duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. |
| Account Lockout | Account Lockout Threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. |
| Account Lockout | Reset account lockout conter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. |
| Account Lockout | Reset account lockout counter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. |
| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. |
| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. |
| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:<br>1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.<br>The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.<br>2) Contain characters from three of the following categories:<br>- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)<br>- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)<br>- Base 10 digits (0 through 9)<br>-Non-alphanumeric characters (special characters):<br>(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)<br>Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.<br>- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. |

2
windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
View File

@ -40,7 +40,7 @@ This new security configuration framework, which we affectionately nickname the
The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices
(Levels 1, 2, and 3).
Microsofts current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec).
Microsofts current guidance on [Privileged Access Workstations](https://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](https://aka.ms/privsec).
Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that level.
Level 1 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite.