deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 16:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Second set of doc updates - machine-->device

Browse Source
This commit is contained in:
ManikaDhiman 2020-05-20 17:41:04 -07:00
parent 2824a5ea3e
commit 813228a677
27 changed files with 286 additions and 286 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
View File

@ -30,7 +30,7 @@ ms.date: 11/28/2018
Microsoft Defender ATP supports two ways to manage permissions:
- **Basic permissions management**: Set permissions to either full access or read-only.
- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
> [!NOTE]
> If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:

16
windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
View File

@ -30,11 +30,11 @@ ms.date: 11/20/2018
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
You might want to experience Microsoft Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response.
You might want to experience Microsoft Defender ATP before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response.
## Before you begin
To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure.md).
To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).
Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
@ -44,18 +44,18 @@ Read the walkthrough document provided with each attack scenario. Each document
- **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
- **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
- **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
- **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
2. Download and read the corresponding walkthrough document provided with your selected scenario.
3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test machine but it's not mandatory.
3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory.
4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
4. Run the simulation file or script on the test device as instructed in the walkthrough document.
> [!NOTE]
> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
>
>
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
@ -63,5 +63,5 @@ Read the walkthrough document provided with each attack scenario. Each document
## Related topics
- [Onboard machines](onboard-configure.md)
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Onboard devices](onboard-configure.md)
- [Onboard Windows 10 devices](configure-endpoints.md)

4
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -1,6 +1,6 @@
---
title: Use attack surface reduction rules to prevent malware infection
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware.
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -66,7 +66,7 @@ DeviceEvents
You can review the Windows event log to view events generated by attack surface reduction rules:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.

26
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -23,7 +23,7 @@ During and after an automated investigation, certain remediation actions can be
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the device or device group will be able to view the entire investigation.
## The Action center
@ -62,7 +62,7 @@ On the **Investigations** page, you can view details and use filters to focus on
|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
|**Triggering alert** | The alert that initiated the automated investigation |
|**Detection source** |The source of the alert that initiated the automated investigation |
|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. |
|**Entities** | Entities can include device or devices, and device groups. You can filter the automated investigations list to zone in a specific device to see other investigations related to the device, or to see specific device groups that were created. |
|**Threat** |The category of threat detected during the automated investigation |
|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
@ -82,7 +82,7 @@ An automated investigation can have one of the following status values:
| Terminated by system | The investigation stopped. An investigation can stop for several reasons:<br/>- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time. <br/>- There are too many actions in the list.<br/>Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. |
| Failed | At least one investigation analyzer ran into a problem where it could not complete properly. <br/><br/>If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. |
| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Waiting for device | Investigation paused. The investigation will resume as soon as the device is available. |
| Terminated by user | A user stopped the investigation before it could complete. |
@ -90,7 +90,7 @@ An automated investigation can have one of the following status values:
![Image of investigation details window](images/atp-analyze-auto-ir.png)
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the device that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
@ -112,23 +112,23 @@ From this view, you can also view and add comments and tags about the investigat
### Alerts
The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the device associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
Additional alerts seen on a device can be added to an automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related device, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
The **Machines** tab Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
The **Machines** tab Shows details the device name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Devices that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Selecting a device using the checkbox brings up the device details pane where you can see more information such as device details and logged-on users.
Clicking on a machine name brings you the machine page.
Clicking on a device name brings you the device page.
### Evidence
@ -140,11 +140,11 @@ The **Entities** tab shows details about entities such as files, process, servic
### Log
The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, device name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
Available filters include action type, action, status, device name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.

18
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -1,7 +1,7 @@
---
title: Use automated investigations to investigate and remediate threats
description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -21,7 +21,7 @@ ms.topic: conceptual
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
@ -30,7 +30,7 @@ The automated investigation feature leverages various inspection algorithms, and
## How the automated investigation starts
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@ -57,28 +57,28 @@ During and after an automated investigation, you can view details about the inve
## How an automated investigation expands its scope
While an investigation is running, any other alerts generated from the machine are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
If an incriminated entity is seen in another machine, the automated investigation process will expand its scope to include that machine, and a general security playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
If an incriminated entity is seen in another device, the automated investigation process will expand its scope to include that device, and a general security playbook will start on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
## How threats are remediated
Depending on how you set up the machine groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
Depending on how you set up the device groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
|No automated response | Machines do not get any automated investigations run on them. |
|No automated response | Devices do not get any automated investigations run on them. |
|Semi - require approval for any remediation | This is the default automation level.<br><br> An approval is needed for any remediation action. |
|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.|
|Full - remediate threats automatically | All remediation actions will be performed automatically.|
> [!TIP]
> For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md).
> For more information on how to configure these automation levels, see [Create and manage device groups](machine-groups.md).
The default machine group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
The default device group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.

10
windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
View File

@ -26,7 +26,7 @@ ms.collection:
## Overview
Todays threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised machines. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and machine learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security).
Todays threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security).
Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities.
@ -50,7 +50,7 @@ The following image shows an example of an alert that was triggered by behaviora
- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
- **Client behavioral blocking** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
- **Client behavioral blocking** Threats on endpoints are detected through device learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
- **Feedback-loop blocking** (also referred to as rapid protection) Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
@ -64,15 +64,15 @@ Expect more to come in the area of behavioral blocking and containment, as Micro
As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the users device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
Behavior-based machine learning models in Microsoft Defender ATP caught and stopped the attackers techniques at two points in the attack chain:
- The first protection layer detected the exploit behavior. Machine learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
Behavior-based device learning models in Microsoft Defender ATP caught and stopped the attackers techniques at two points in the attack chain:
- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center":::
This example shows how behavior-based machine learning models in the cloud add new layers of protection against attacks, even after they have started running.
This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
### Example 2: NTML relay - Juicy Potato malware variant

30
windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
View File

@ -1,6 +1,6 @@
---
title: Check the health state of the sensor in Microsoft Defender ATP
description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data.
description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or are not reporting sensor data.
keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -25,33 +25,33 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machines ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual devices ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service:
- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
Clicking any of the groups directs you to Machines list, filtered according to your choice.
Clicking any of the groups directs you to Devices list, filtered according to your choice.
You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview.md).
You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md).
You can filter the health state list by the following status:
- **Active** - Machines that are actively reporting to the Microsoft Defender ATP service.
- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
- **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
- **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service.
- **Active** - Devices that are actively reporting to the Microsoft Defender ATP service.
- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues:
- **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device.
- **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work.
- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service.
You can view the machine details when you click on a misconfigured or inactive machine.
You can view the device details when you click on a misconfigured or inactive device.
![Microsoft Defender ATP sensor filter](images/atp-machine-health-details.png)
In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format.
In the **Devices list**, you can download a full list of all the devices in your organization in a CSV format.
>[!NOTE]
>Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
>Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
## Related topic
- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealthy-sensors.md)

6
windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
View File

@ -1,6 +1,6 @@
---
title: Collect investigation package API
description: Use this API to create calls related to the collecting an investigation package from a machine.
description: Use this API to create calls related to the collecting an investigation package from a device.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -24,7 +24,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Collect investigation package from a machine.
Collect investigation package from a device.
## Limitations
@ -42,7 +42,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

6
windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
View File

@ -37,7 +37,7 @@ The following OS versions are supported:
- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
>[!NOTE]
>A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct environment.
>A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment.
The following OS versions are not supported:
- Windows Server 2008 R2 SP1
@ -67,7 +67,7 @@ The following capabilities are not currently available:
The following capabilities are not currently available:
- Threat protection report
- Machine health and compliance report
- Device health and compliance report
- Integration with third-party products
@ -92,7 +92,7 @@ You'll need to ensure that traffic from the following are allowed:
Service location | DNS record
:---|:---
Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>```notify.windows.com```<br>```settings-win.data.microsoft.com``` <br><br> NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 machines running version 1803 or earlier.
Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>```notify.windows.com```<br>```settings-win.data.microsoft.com``` <br><br> NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier.
Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```

6
windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
View File

@ -41,7 +41,7 @@ The compliance policy is used with Conditional Access to allow only devices that
## Understand the Conditional Access flow
Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.
The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
The flow begins with devices being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.
@ -55,8 +55,8 @@ To resolve the risk found on a device, you'll need to return the device to a com
There are three ways to address a risk:
1. Use Manual or automated remediation.
2. Resolve active alerts on the machine. This will remove the risk from the machine.
3. You can remove the machine from the active policies and consequently, Conditional Access will not be applied on the machine.
2. Resolve active alerts on the device. This will remove the risk from the device.
3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device.
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md).

4
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -1,6 +1,6 @@
---
title: Overview of Configuration score in Microsoft Defender Security Center
description: Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls
description: Your configuration score shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -25,7 +25,7 @@ ms.topic: conceptual
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as Configuration score.
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories:
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
- Application
- Operating system

2
windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
View File

@ -27,7 +27,7 @@ This section guides you through the steps you need to take to configure Threat &
### Before you begin
> [!IMPORTANT]
> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices threat and vulnerability exposure data.</br>
> Threat & Vulnerability Management data currently supports Windows 10 devices. Upgrade to Windows 10 to account for the rest of your devices threat and vulnerability exposure data.</br>
Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager.

2
windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
View File

@ -32,7 +32,7 @@ You'll need to install and configure some files and tools to use Micro Focus Arc
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
## Before you begin

2
windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
View File

@ -37,7 +37,7 @@ To configure automated investigation and remediation, you [turn on the features]
## Set up device groups
1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**.
2. Select **+ Add machine group**.
2. Select **+ Add device group**.
3. Create at least one device group, as follows:
- Specify a name and description for the device group.
- In the **Automation level list**, select a level, such as **Full remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).

12
windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
View File

@ -32,15 +32,15 @@ You can configure Microsoft Defender ATP to send email notifications to specifie
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue.md).
If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule.
Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope.
Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups.
If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule.
Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope.
Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
## Create rules for alert notifications
You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients.
You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
1. In the navigation pane, select **Settings** > **Alert notifications**.
@ -51,12 +51,12 @@ You can create rules that determine the machines and alert severities to send em
- **Rule name** - Specify a name for the notification rule.
- **Include organization name** - Specify the customer name that appears on the email notification.
- **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
- **Include machine information** - Includes the machine name in the email alert body.
- **Include device information** - Includes the device name in the email alert body.
>[!NOTE]
> This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data.
- **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups.md).
- **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md).
- **Alert severity** - Choose the alert severity level.
4. Click **Next**.

50
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy
description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service.
keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, group policy
description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service.
keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 04/24/2018
---
# Onboard Windows 10 machines using Group Policy
# Onboard Windows 10 devices using Group Policy
**Applies to:**
@ -37,7 +37,7 @@ ms.date: 04/24/2018
> For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
## Onboard machines using Group Policy
## Onboard devices using Group Policy
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -48,7 +48,7 @@ ms.date: 04/24/2018
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -65,15 +65,15 @@ ms.date: 04/24/2018
9. Click **OK** and close any open GPMC windows.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
## Additional Microsoft Defender ATP configuration settings
For each machine, you can state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
### Configure sample collection settings
1. On your GP management machine, copy the following files from the
1. On your GP management device, copy the following files from the
configuration package:
a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
@ -95,17 +95,17 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
5. Click **Windows components** and then **Windows Defender ATP**.
6. Choose to enable or disable sample sharing from your machines.
6. Choose to enable or disable sample sharing from your devices.
>[!NOTE]
> If you don't set a value, the default value is to enable sample collection.
## Offboard machines using Group Policy
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
## Offboard devices using Group Policy
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -117,7 +117,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -134,25 +134,25 @@ For security reasons, the package used to Offboard machines will expire 30 days
9. Click **OK** and close any open GPMC windows.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor machine configuration
With Group Policy there isnt an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor device configuration
With Group Policy there isnt an option to monitor deployment of policies on the devices. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor machines using the portal
## Monitor devices using the portal
1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
2. Click **Devices list**.
3. Verify that devices are appearing.
> [!NOTE]
> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
> It can take several days for devices to start showing on the **Devices list**. This includes the time it takes for the policies to be distributed to the device, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Related topics
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machines](run-detection-test.md)
- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP devices](run-detection-test.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

38
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 machines using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service.
keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, mdm
title: Onboard Windows 10 devices using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on devices so that they are onboarded to the service.
keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, mdm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 12/06/2018
---
# Onboard Windows 10 machines using Mobile Device Management tools
# Onboard Windows 10 devices using Mobile Device Management tools
**Applies to:**
@ -27,7 +27,7 @@ ms.date: 12/06/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
You can use mobile device management (MDM) solutions to configure machines. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines.
You can use mobile device management (MDM) solutions to configure devices. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage devices.
For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
@ -36,7 +36,7 @@ If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwi
For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
## Onboard machines using Microsoft Intune
## Onboard devices using Microsoft Intune
Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
@ -44,18 +44,18 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
> [!NOTE]
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
> - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
> - The **Health Status for onboarded devices** policy uses read-only properties and can't be remediated.
> - Configuration of diagnostic data reporting frequency is only available for devices on Windows 10, version 1703.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
## Offboard and monitor machines using Mobile Device Management tools
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
## Offboard and monitor devices using Mobile Device Management tools
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -79,15 +79,15 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
> The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

18
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
View File

@ -1,7 +1,7 @@
---
title: Onboard non-Windows machines to the Microsoft Defender ATP service
description: Configure non-Windows machines so that they can send sensor data to the Microsoft Defender ATP service.
keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines
title: Onboard non-Windows devices to the Microsoft Defender ATP service
description: Configure non-Windows devices so that they can send sensor data to the Microsoft Defender ATP service.
keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Onboard non-Windows machines
# Onboard non-Windows devices
**Applies to:**
@ -31,12 +31,12 @@ Microsoft Defender ATP provides a centralized security operations experience for
You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
## Onboarding non-Windows machines
You'll need to take the following steps to onboard non-Windows machines:
## Onboarding non-Windows devices
You'll need to take the following steps to onboard non-Windows devices:
1. Select your preferred method of onboarding:
- For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac).
- For other non-Windows devices choose **Onboard non-Windows machines through third-party integration**.
- For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
@ -49,7 +49,7 @@ You'll need to take the following steps to onboard non-Windows machines:
2. Run a detection test by following the instructions of the third-party solution.
## Offboard non-Windows machines
## Offboard non-Windows devices
1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender ATP.
@ -61,7 +61,7 @@ You'll need to take the following steps to onboard non-Windows machines:
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard servers](configure-server-endpoints.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

66
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 machines using Configuration Manager
description: Use Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines
title: Onboard Windows 10 devices using Configuration Manager
description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the service.
keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 02/07/2020
---
# Onboard Windows 10 machines using Configuration Manager
# Onboard Windows 10 devices using Configuration Manager
**Applies to:**
@ -30,17 +30,17 @@ ms.date: 02/07/2020
<span id="sccm1606"/>
## Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager current branch
## Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager current branch
Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
<span id="sccm1602"/>
## Onboard Windows 10 machines using earlier versions of System Center Configuration Manager
## Onboard Windows 10 devices using earlier versions of System Center Configuration Manager
You can use existing Configuration Manager functionality to create a policy to configure your machines. This action is supported in System Center 2012 R2 Configuration Manager.
You can use existing Configuration Manager functionality to create a policy to configure your devices. This action is supported in System Center 2012 R2 Configuration Manager.
### Onboard machines using System Center Configuration Manager
### Onboard devices using System Center Configuration Manager
1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -62,10 +62,10 @@ You can use existing Configuration Manager functionality to create a policy to c
> Microsoft Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
>
> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a machine has been onboarded. An application is a different type of object than a package and program.
> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the machine until the rule detects the status change.
> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program.
> If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.
>
> This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1.
> This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status".
@ -73,10 +73,10 @@ For more information, see [Configure Detection Methods in System Center 2012 R2
### Configure sample collection settings
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a device.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure theyre complaint.
The configuration is set through the following registry key entry:
@ -88,8 +88,8 @@ Value: 0 or 1
Where:<br>
Key type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this machine
- 1 - allows sharing of all file types from this machine
- 0 - doesn't allow sample sharing from this device
- 1 - allows sharing of all file types from this device
The default value in case the registry key doesnt exist is 1.
@ -97,18 +97,18 @@ For more information about System Center Configuration Manager Compliance see [I
## Offboard machines using Configuration Manager
## Offboard devices using Configuration Manager
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
### Offboard machines using Microsoft Endpoint Configuration Manager current branch
### Offboard devices using Microsoft Endpoint Configuration Manager current branch
If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
### Offboard machines using System Center 2012 R2 Configuration Manager
### Offboard devices using System Center 2012 R2 Configuration Manager
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -127,18 +127,18 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create
a. Choose a predefined device collection to deploy the package to.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor machine configuration
## Monitor device configuration
If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network.
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network.
2. Checking that the machines are compliant with the Microsoft Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service).
2. Checking that the devices are compliant with the Microsoft Defender ATP service (this ensures the device can complete the onboarding process and can continue to report data to the service).
### Confirm the configuration package has been correctly deployed
@ -150,15 +150,15 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png)
### Check that the machines are compliant with the Microsoft Defender ATP service
### Check that the devices are compliant with the Microsoft Defender ATP service
You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted devices.
Monitor the following registry key entry:
```
@ -169,9 +169,9 @@ Value: “1”
For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

60
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 machines using a local script
description: Use a local script to deploy the configuration package on machines so that they are onboarded to the service.
keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines
title: Onboard Windows 10 devices using a local script
description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service.
keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Onboard Windows 10 machines using a local script
# Onboard Windows 10 devices using a local script
**Applies to:**
@ -29,12 +29,12 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network.
You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
> [!NOTE]
> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints.md).
> The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 devices](configure-endpoints.md).
## Onboard machines
## Onboard devices
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -46,9 +46,9 @@ You can also manually onboard individual machines to Microsoft Defender ATP. You
d. Click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the machine you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
3. Open an elevated command-line prompt on the device and run the script:
a. Go to **Start** and type **cmd**.
@ -60,16 +60,16 @@ You can also manually onboard individual machines to Microsoft Defender ATP. You
5. Press the **Enter** key or click **OK**.
For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
## Configure sample collection settings
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file.
You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file.
The configuration is set through the following registry key entry:
@ -81,17 +81,17 @@ Value: 0 or 1
Where:<br>
Name type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this machine
- 1 - allows sharing of all file types from this machine
- 0 - doesn't allow sample sharing from this device
- 1 - allows sharing of all file types from this device
The default value in case the registry key doesnt exist is 1.
## Offboard machines using a local script
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
## Offboard devices using a local script
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -103,9 +103,9 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
3. Open an elevated command-line prompt on the device and run the script:
a. Go to **Start** and type **cmd**.
@ -118,26 +118,26 @@ For security reasons, the package used to Offboard machines will expire 30 days
5. Press the **Enter** key or click **OK**.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor machine configuration
## Monitor device configuration
You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding.md) to verify that the script completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor machines using the portal
### Monitor devices using the portal
1. Go to Microsoft Defender Security Center.
2. Click **Machines list**.
2. Click **Devices list**.
3. Verify that machines are appearing.
3. Verify that devices are appearing.
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

60
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
View File

@ -1,7 +1,7 @@
---
title: Onboard non-persistent virtual desktop infrastructure (VDI) machines
description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Microsoft Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints
title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,30 +18,30 @@ ms.topic: article
ms.date: 04/16/2020
---
# Onboard non-persistent virtual desktop infrastructure (VDI) machines
# Onboard non-persistent virtual desktop infrastructure (VDI) devices
**Applies to:**
- Virtual desktop infrastructure (VDI) machines
- Virtual desktop infrastructure (VDI) devices
>[!WARNING]
> Micrsosoft Defender ATP currently does not support Windows Virtual Desktop multi-user session.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
## Onboard non-persistent virtual desktop infrastructure (VDI) machines
## Onboard non-persistent virtual desktop infrastructure (VDI) devices
Microsoft Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
- Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning.
- The machine name is typically reused for new sessions.
- The device name is typically reused for new sessions.
VDI machines can appear in Microsoft Defender ATP portal as either:
VDI devices can appear in Microsoft Defender ATP portal as either:
- Single entry for each machine.
Note that in this case, the *same* machine name must be configured when the session is created, for example using an unattended answer file.
- Multiple entries for each machine - one for each session.
- Single entry for each device.
Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
- Multiple entries for each device - one for each session.
The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.
>[!WARNING]
> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding.
@ -61,8 +61,8 @@ The following steps will guide you through onboarding VDI machines and will high
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each machine: <br>
**For single entry for each machine**:<br>
3. The following step is only applicable if you're implementing a single entry for each device: <br>
**For single entry for each device**:<br>
a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
>[!NOTE]
@ -71,30 +71,30 @@ The following steps will guide you through onboarding VDI machines and will high
4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
>[!NOTE]
>Domain Group Policy may also be used for onboarding non-persistent VDI machines.
>Domain Group Policy may also be used for onboarding non-persistent VDI devices.
5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
**For single entry for each machine**:<br>
**For single entry for each device**:<br>
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
**For multiple entries for each machine**:<br>
**For multiple entries for each device**:<br>
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
6. Test your solution:
a. Create a pool with one machine.
a. Create a pool with one device.
b. Logon to machine.
b. Logon to device.
c. Logoff from machine.
c. Logoff from device.
d. Logon to machine with another user.
d. Logon to device with another user.
e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.<br>
**For multiple entries for each machine**: Check multiple entries in Microsoft Defender Security Center.
e. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.<br>
**For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
7. Click **Machines list** on the Navigation pane.
7. Click **Devices list** on the Navigation pane.
8. Use the search function by entering the machine name and select **Machine** as search type.
8. Use the search function by entering the device name and select **Device** as search type.
## Updating non-persistent virtual desktop infrastructure (VDI) images
As a best practice, we recommend using offline servicing tools to patch golden/master images.<br>
@ -113,7 +113,7 @@ For more information on DISM commands and offline servicing, please refer to the
If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script).
1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script).
2. Ensure the sensor is stopped by running the command below in a CMD window:
@ -135,8 +135,8 @@ If offline servicing is not a viable option for your non-persistent VDI environm
5. Re-seal the golden/master image as you normally would.
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

20
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
View File

@ -1,7 +1,7 @@
---
title: Onboarding tools and methods for Windows 10 machines
description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor
keywords: Onboard Windows 10 machines, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
title: Onboarding tools and methods for Windows 10 devices
description: Onboard Windows 10 devices so that they can send sensor data to the Microsoft Defender ATP sensor
keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Onboarding tools and methods for Windows 10 machines
# Onboarding tools and methods for Windows 10 devices
**Applies to:**
@ -26,7 +26,7 @@ ms.topic: conceptual
Machines in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization.
Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
The following deployment tools and methods are supported:
@ -38,11 +38,11 @@ The following deployment tools and methods are supported:
## In this section
Topic | Description
:---|:---
[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on machines.
[Onboard Windows machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on machines.
[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine.
[Onboard Windows 10 machines using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines.
[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices.
[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
[Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
View File

@ -48,6 +48,6 @@ For more information about ASR rule deployment in Microsoft 365 security center,
**Related topics**
* [Ensure your machines are configured properly](configure-machines.md)
* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
* [Ensure your devices are configured properly](configure-machines.md)
* [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)

34
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -1,6 +1,6 @@
---
title: Get machines onboarded to Microsoft Defender ATP
description: Track onboarding of Intune-managed machines to Windows Defender ATP and increase onboarding rate.
title: Get devices onboarded to Microsoft Defender ATP
description: Track onboarding of Intune-managed devices to Windows Defender ATP and increase onboarding rate.
keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,34 +17,34 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Get machines onboarded to Microsoft Defender ATP
# Get devices onboarded to Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
Before you can track and manage onboarding of machines:
- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
Before you can track and manage onboarding of devices:
- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Discover and track unprotected machines
## Discover and track unprotected devices
The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines.
The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 devices.
![Machine configuration management Onboarding card](images/secconmgmt_onboarding_card.png)<br>
*Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*
![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)<br>
*Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device*
>[!NOTE]
>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your devices.
## Onboard more machines with Intune profiles
## Onboard more devices with Intune profiles
Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 machines](onboard-configure.md). For Intune-managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select machines, effectively onboarding these devices to the service.
Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select devices, effectively onboarding these devices to the service.
From the **Onboarding** card, select **Onboard more machines** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
![Microsoft Defender ATP device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)<br>
*Microsoft Defender ATP device compliance page on Intune device management*
@ -55,16 +55,16 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass
>[!NOTE]
> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**.
From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either:
From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the devices you want to onboard. To do this, you can either:
- Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.
- Create the device configuration profile from scratch.
For more information, [read about using Intune device configuration profiles to onboard machines to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
For more information, [read about using Intune device configuration profiles to onboard devices to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics
- [Ensure your machines are configured properly](configure-machines.md)
- [Ensure your devices are configured properly](configure-machines.md)
- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
- [Optimize ASR rule deployment and detections](configure-machines-asr.md)

36
windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
View File

@ -29,42 +29,42 @@ Security baselines ensure that security features are configured according to gui
To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
Before you can deploy and track compliance to security baselines:
- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Compare the Microsoft Defender ATP and the Windows Intune security baselines
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
- [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
- [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same device will not result in conflicts. Ideally, devices onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
>[!NOTE]
>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
## Monitor compliance to the Microsoft Defender ATP security baseline
The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline.
The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Microsoft Defender ATP security baseline.
![Security baseline card](images/secconmgmt_baseline_card.png)<br>
*Card showing compliance to the Microsoft Defender ATP security baseline*
Each machine is given one of the following status types:
Each device is given one of the following status types:
- **Matches baseline**machine settings match all the settings in the baseline
- **Does not match baseline**—at least one machine setting doesn't match the baseline
- **Misconfigured**—at least one baseline setting isn't properly configured on the machine and is in a conflict, error, or pending state
- **Not applicable**—At least one baseline setting isn't applicable on the machine
- **Matches baseline**device settings match all the settings in the baseline
- **Does not match baseline**—at least one device setting doesn't match the baseline
- **Misconfigured**—at least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state
- **Not applicable**—At least one baseline setting isn't applicable on the device
To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.
To review specific devices, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the devices.
>[!NOTE]
>You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
>You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune.
## Review and assign the Microsoft Defender ATP security baseline
Machine configuration management monitors baseline compliance only of Windows 10 machines that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to machines on Intune device management.
Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to devices on Intune device management.
1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
@ -82,22 +82,22 @@ Machine configuration management monitors baseline compliance only of Windows 10
![Security baseline options during profile creation on Intune](images/secconmgmt_baseline_intuneprofile2.png)<br>
*Security baseline options during profile creation on Intune*
4. Assign the profile to the appropriate machine group.
4. Assign the profile to the appropriate device group.
![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)<br>
*Assigning the security baseline profile on Intune*
5. Create the profile to save it and deploy it to the assigned machine group.
5. Create the profile to save it and deploy it to the assigned device group.
![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)<br>
*Creating the security baseline profile on Intune*
>[!TIP]
>Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
>Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics
- [Ensure your machines are configured properly](configure-machines.md)
- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
- [Ensure your devices are configured properly](configure-machines.md)
- [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
- [Optimize ASR rule deployment and detections](configure-machines-asr.md)

28
windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
View File

@ -1,6 +1,6 @@
---
title: Ensure your machines are configured properly
description: Properly configure machines to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
title: Ensure your devices are configured properly
description: Properly configure devices to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,44 +17,44 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Ensure your machines are configured properly
# Ensure your devices are configured properly
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices:
- Onboard to Microsoft Defender ATP
- Meet or exceed the Microsoft Defender ATP security baseline configuration
- Have strategic attack surface mitigations in place
![Security configuration management page](images/secconmgmt_main.png)<br>
*Machine configuration management page*
*Device configuration management page*
You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center.
In doing so, you benefit from:
- Comprehensive visibility of the events on your machines
- Robust threat intelligence and powerful machine learning technologies for processing raw events and identifying the breach activity and threat indicators
- Comprehensive visibility of the events on your devices
- Robust threat intelligence and powerful device learning technologies for processing raw events and identifying the breach activity and threat indicators
- A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
- Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity
## Enroll machines to Intune management
## Enroll devices to Intune management
Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
Device configuration management works closely with Intune device management to establish the inventory of the devices in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 devices.
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
Before you can ensure your devices are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 devices. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
>[!NOTE]
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
>[!TIP]
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
>To optimize device management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
## Obtain required permissions
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and deploying the security baseline.
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
If you have been assigned other roles, ensure you have the necessary permissions:
@ -72,8 +72,8 @@ If you have been assigned other roles, ensure you have the necessary permissions
## In this section
Topic | Description
:---|:---
[Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed machines and onboard more machines through Intune.
[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed machines.
[Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune.
[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

12
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -24,7 +24,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Before you begin
Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.
Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up.
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
@ -68,13 +68,13 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
> [!NOTE]
> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
@ -88,7 +88,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png)
The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.
3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
@ -102,8 +102,8 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
- I receive an odd alert today for abnormal number of failed logins from a high profile users device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored?
- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
**Possible machine compromise**
- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many machines. We appreciate any input to clarify whether this is related to malicious activity.
**Possible device compromise**
- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many devices. We appreciate any input to clarify whether this is related to malicious activity.
- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
**Threat intelligence details**