diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 0991c425ae..3b8c2ce3db 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -116,6 +116,11 @@ "redirect_document_id": true }, { +"source_path": "windows/deployment/update/update-compliance-perspectives.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/update/update-compliance-using", +"redirect_document_id": true +}, +{ "source_path": "browsers/edge/hardware-and-software-requirements.md", "redirect_url": "https://docs.microsoft.com/microsoft-edge/deploy/about-microsoft-edge", "redirect_document_id": true @@ -1497,6 +1502,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview", "redirect_document_id": true @@ -6227,6 +6237,11 @@ "redirect_document_id": true }, { +"source_path": "windows/deployment/update/update-compliance-wdav-status.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started", +"redirect_document_id": true +}, +{ "source_path": "windows/manage/update-compliance-using.md", "redirect_url": "https://docs.microsoft.com/windows/deployment/update/update-compliance-using", "redirect_document_id": true diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md index 28a0957588..ceb4d9b0f2 100644 --- a/browsers/internet-explorer/TOC.md +++ b/browsers/internet-explorer/TOC.md @@ -47,6 +47,7 @@ #### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md) #### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) #### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) +#### [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md) ### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md) #### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md) ##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index 46a8edef5e..0977b87b94 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -7,7 +7,8 @@ author: dansimp ms.prod: ie11 ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b ms.reviewer: -audience: itpro manager: dansimp +audience: itpro +manager: dansimp ms.author: dansimp title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) ms.sitesec: library @@ -57,16 +58,20 @@ You can add individual sites to your compatibility list by using the Enterprise 5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. - - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. + - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), this option will open sites in Internet Explorer mode. - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. - **None**. Opens in whatever browser the employee chooses. -6. Click **Save** to validate your website and to add it to the site list for your enterprise.

+6. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), and you have sites that still need to opened in the standalone Internet Explorer 11 application, you can check the box for **Standalone IE**. This checkbox is only relevant when associated to 'Open in' IE11. Checking the box when 'Open In' is set to MSEdge or None will not change browser behavior. + +7. The checkbox **Allow Redirect** applies to the treatment of server side redirects. If you check this box, server side redirects will open in the browser specified by the open-in tag. For more information, see [here](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance#updated-schema-attributes). + +8. Click **Save** to validate your website and to add it to the site list for your enterprise.

If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. -7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+9. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). ## Next steps diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md index 008e2624c0..d94601a9d5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md @@ -20,7 +20,7 @@ ms.date: 07/27/2017 If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872). ## Group Policy Object-related Log Files -You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**. For more information about the Event Viewer, see [What information appears in event logs? (Event Viewer)](https://go.microsoft.com/fwlink/p/?LinkId=294917). +You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**   diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md new file mode 100644 index 0000000000..bb22b43b3f --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md @@ -0,0 +1,47 @@ +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: How to use Site List Manager to review neutral sites for IE mode +author: dansimp +ms.prod: ie11 +ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b +ms.reviewer: +audience: itpro +manager: dansimp +ms.author: dansimp +title: Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager +ms.sitesec: library +ms.date: 04/02/2020 +--- + +# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8 +- Windows Server 2012 R2 +- Microsoft Edge version 77 or later + +> [!NOTE] +> This feature is available on the Enterprise Mode Site List Manager version 11.0. + +## Overview + +While converting your site from v.1 schema to v.2 schema using the latest version of the Enterprise Mode Site List Manager, sites with the *doNotTransition=true* in v.1 convert to *open-in=None* in the v.2 schema, which is characterized as a "neutral site". This is the expected behavior for conversion unless you are using Internet Explorer mode (IE mode). When IE mode is enabled, only authentication servers that are used for modern and legacy sites should be set as neutral sites. For more information, see [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites). Otherwise, a site meant to open in Edge might potentially be tagged as neutral, which results in inconsistent experiences for users. + +The Enterprise Mode Site List Manager provides the ability to flag sites that are listed as neutral sites, but might have been added in error. This check is automatically performed when you are converting from v.1 to v.2 through the tool. This check might flag sites even if there was no prior schema conversion. + +## Flag neutral sites + +To identify neutral sites to review: + +1. In the Enterprise Mode Site List Manager (schema v.2), click **File > Flag neutral sites**. +2. If selecting this option has no effect, there are no sites that needs to be reviewed. Otherwise, you will see a message **"Engine neutral sites flagged for review"**. When a site is flagged, you can assess if the site needs to be removed entirely, or if it needs the open-in attribute changed from None to MSEdge. +3. If you believe that a flagged site is correctly configured, you can edit the site entry and click on **"Clear Flag"**. Once you select that option for a site, it will not be flagged again. + +## Related topics + +- [About IE Mode](https://docs.microsoft.com/deployedge/edge-ie-mode) +- [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites) diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md index 58ffc300ce..3cbc140f4b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md @@ -26,7 +26,7 @@ ms.date: 12/04/2017 - Windows Server 2012 R2 - Windows Server 2008 R2 with Service Pack 1 (SP1) -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. @@ -49,12 +49,14 @@ The following topics give you more information about the things that you can do |[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). | |[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md) |How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion. This topic applies to the Enterprise Mode Site List Manager version 11.0 or later. | |[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +| [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md)|How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion.

This topic applies to the latest version of the Enterprise Mode Site List Manager. ## Related topics diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 4decd51404..49166b9f72 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -65,7 +65,6 @@ ## [Frequently asked security questions](hololens-faq-security.md) ## [Status of the HoloLens services](hololens-status.md) ## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb) -## [SCEP whitepaper](scep-whitepaper.md) # [HoloLens release notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) diff --git a/devices/hololens/holographic-3d-viewer-beta.md b/devices/hololens/holographic-3d-viewer-beta.md index 0973813221..90c5b236fd 100644 --- a/devices/hololens/holographic-3d-viewer-beta.md +++ b/devices/hololens/holographic-3d-viewer-beta.md @@ -1,6 +1,6 @@ --- -title: Using 3D Viewer on HoloLens -description: Describes the types of files and features that 3D Viewer Beta on HoloLens supports, and how to use and troubleshoot the app. +title: Using 3D Viewer Beta on HoloLens +description: Describes the types of files and features that 3D Viewer Beta on HoloLens (1st gen) supports, and how to use and troubleshoot the app. ms.prod: hololens ms.sitesec: library author: Teresa-Motiv @@ -15,15 +15,18 @@ appliesto: - HoloLens (1st gen) --- -# Using 3D Viewer on HoloLens +# Using 3D Viewer Beta on HoloLens -3D Viewer lets you view 3D models on HoloLens. You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps. +3D Viewer Beta lets you view 3D models on HoloLens (1st gen). You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps. -If you're having trouble opening a 3D model in 3D Viewer, or certain features of your 3D model are unsupported, see [Supported content specifications](#supported-content-specifications). +>[!NOTE] +>This article applies to the immersive Unity **3D Viewer Beta** app, which supports .fbx files and is only available on HoloLens (1st gen). The pre-installed **3D Viewer** app on HoloLens 2 supports opening custom .glb 3D models in the mixed reality home (see [Asset requirements overview](https://docs.microsoft.com/windows/mixed-reality/creating-3d-models-for-use-in-the-windows-mixed-reality-home#asset-requirements-overview) for more details. -To build or optimize 3D models for use with 3D Viewer, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer-beta). +If you're having trouble opening a 3D model in 3D Viewer Beta, or certain features of your 3D model are unsupported, see [Supported content specifications](#supported-content-specifications). -There are two ways to open a 3D model on HoloLens. See [Viewing 3D models on HoloLens](#viewing-3d-models-on-hololens) to learn more. +To build or optimize 3D models for use with 3D Viewer Beta, see [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta). + +There are two ways to open a 3D model on HoloLens. See [Viewing FBX files on HoloLens](#viewing-fbx-files-on-hololens) to learn more. If you're having trouble after reading these topics, see [Troubleshooting](#troubleshooting). @@ -122,7 +125,7 @@ By default, 3D Viewer Beta displays 3D models at a comfortable size and position To prevent scaling of the model, add a Boolean custom attribute to any object in the scene named Microsoft_DisableScale and set it to true. 3D Viewer Beta will then respect the FbxSystemUnit information baked into the FBX file. Scale in 3D Viewer Beta is 1 meter per FBX unit. -## Viewing 3D models on HoloLens +## Viewing FBX files on HoloLens ### Open an FBX file from Microsoft Edge diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md index dcba528079..b03fb4479f 100644 --- a/devices/hololens/hololens-calibration.md +++ b/devices/hololens/hololens-calibration.md @@ -86,6 +86,8 @@ If calibration is unsuccessful try: If you followed all guidelines and calibration is still failing, please let us know by filing feedback in [Feedback Hub](hololens-feedback.md). +Note that setting IPD is not applicable for Hololens 2, since eye positions are computed by the system. + ### Calibration data and security Calibration information is stored locally on the device and is not associated with any account information. There is no record of who has used the device without calibration. This mean new users will get prompted to calibrate visuals when they use the device for the first time, as well as users who opted out of calibration previously or if calibration was unsuccessful. @@ -105,6 +107,8 @@ You can also disable the calibration prompt by following these steps: ### HoloLens 2 eye-tracking technology The device uses its eye-tracking technology to improve display quality, and to ensure that all holograms are positioned accurately and comfortable to view in 3D. Because it uses the eyes as landmarks, the device can adjust itself for every user and tune its visuals as the headset shifts slightly throughout use. All adjustments happen on the fly without a need for manual tuning. +> [!NOTE] +> Setting the IPD is not applicable for Hololens 2, since eye positions are computed by the system. HoloLens applications use eye tracking to track where you are looking in real time. This is the main capability developers can leverage to enable a whole new level of context, human understanding and interactions within the Holographic experience. Developers don’t need to do anything to leverage this capability. diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md index fd770fd0cc..7926dab884 100644 --- a/devices/hololens/hololens-connect-devices.md +++ b/devices/hololens/hololens-connect-devices.md @@ -32,7 +32,7 @@ HoloLens (1st gen) supports the following classes of Bluetooth devices: - HoloLens (1st gen) clicker > [!NOTE] -> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may be listed as available in HoloLens settings. However, these devices aren't supported on HoloLens (1st gen). For more information, see [I'm having problems pairing or using a Bluetooth device](hololens-FAQ.md#im-having-problems-pairing-or-using-a-bluetooth-device). +> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may be listed as available in HoloLens settings. However, these devices aren't supported on HoloLens (1st gen). For more information, see [HoloLens Settings lists devices as available, but the devices don't work](hololens-FAQ.md#hololens-settings-lists-devices-as-available-but-the-devices-dont-work). ### Pair a Bluetooth keyboard or mouse diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 369602ca12..89a01c0628 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -30,7 +30,7 @@ This article teaches you how to control HoloLens and your holographic world with ## Built-in voice commands -Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. +Get around HoloLens faster with these basic commands. In order to use these, you need to enable Speech during the first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of the Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off **Online speech recognition**. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation, and Cortana will not be available. ### General speech commands @@ -48,6 +48,19 @@ Use these commands throughout Windows Mixed Reality to get around faster. Some c |Hide and show hand ray | "Hide hand ray" / "Show hand ray" | |See available speech commands | "What can I say?" | +Starting with version 19041.x of HoloLens 2, you can also use these commands: + +| Say this | To do this | +| - | - | +| "Restart device" | Bring up a dialogue to confirm you want to restart the device. You can say "yes" to restart. | +| "Shutdown device" | Bring up a dialogue to confirm you want to turn off the device. You can say "yes" to confirm. | +| "Brightness up/down" | Increase or decrease the display brightness by 10%. | +| "Volume up/down" | Increase or decrease the volume by 10%. | +| "What's my IP address" | Bring up a dialogue displaying your device's current IP address on the local network. | +| "Take a picture" | Capture a mixed reality photo of what you are currently seeing. | +| "Take a video" | Start recording a mixed reality video. | +| "Stop recording" | Stops the current mixed reality video recording if one is in progress. | + ### Hologram commands To use these commands, gaze at a 3D object, hologram, or app window. @@ -87,7 +100,7 @@ Sometimes it's helpful to spell out things like email addresses. For instance, t ## Do more with Cortana -Cortana can help you do all kinds of things on your HoloLens, from searching the web to shutting down your device. She can give you suggestions, ideas, reminders, alerts, and more. To get her attention, select Cortana on **Start** or say "Hey Cortana" anytime. +Cortana can help you do all kinds of things on your HoloLens, but depending on which version of Windows Holographic you're using, the capablities may be different. You can learn more about the updated capabilites of the latest version of Cortana [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/). ![Hey Cortana!](images/cortana-on-hololens.png) @@ -96,22 +109,27 @@ Here are some things you can try saying (remember to say "Hey Cortana" first). **Hey, Cortana**... - What can I say? +- Launch <*app name*>. +- What time is it? +- Show me the latest NBA scores. +- Tell me a joke. + +If you're using *version 18362.x or earlier*, you can also use these commands: + +**Hey, Cortana**... + - Increase the volume. - Decrease the brightness. - Shut down. - Restart. - Go to sleep. - Mute. -- Launch <*app name*>. - Move <*app name*> here (gaze at the spot that you want the app to move to). - Go to Start. - Take a picture. - Start recording. (Starts recording a video.) - Stop recording. (Stops recording a video.) -- What time is it? -- Show me the latest NBA scores. - How much battery do I have left? -- Tell me a joke. Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens, and the Cortana experience may vary from one region to another. diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md index 78dacbb581..85f66c8318 100644 --- a/devices/hololens/hololens-faq-security.md +++ b/devices/hololens/hololens-faq-security.md @@ -73,8 +73,6 @@ appliesto: 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. -1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** - 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. ## HoloLens 2nd Gen Security Questions @@ -125,5 +123,3 @@ appliesto: 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. -1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** - 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 7ee4140703..68262afb5b 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -67,6 +67,7 @@ Here's a quick summary of what's new: - Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use. Send a note to hlappreview@microsoft.com to join the preview. - Dark Mode - HoloLens customers can now choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. - Support for additional system voice commands +- An updated Cortana app with a focus on productivity - Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate - Performance and stability improvements across the product - More information in settings on HoloLens about the policy pushed to the device @@ -95,9 +96,16 @@ You can now can access these commands with your voice: - "Volume up" - "Volume down" - "What is my IP address?" +- "Take a picture" +- "Take a video" / "Stop recording" If you're running your system with a different language, please try the appropriate commands in that language. +### Cortana updates +The updated app integrates with Microsoft 365, currently in English (United States) only, to help you get more done across your devices. On HoloLens 2, Cortana will no longer support certain device-specific commands like adjusting the volume or restarting the device, which are now supported with the new system voice commands above. Learn more about the new Cortana app and its direction on our blog [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/). + +There's currently an issue we're investigating that requires you to launch the app once after booting the device in order to use the "Hey Cortana" keyword activation, and if you updated from a 18362 build, you may see an app tile for the previous version of the Cortana app in Start that no longer works. + ### Dark mode Many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to **Settings > System > Colors to find "Choose your default app mode."** Here are some of the in-box apps that support Dark mode! diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md deleted file mode 100644 index ee0915b54b..0000000000 --- a/devices/hololens/scep-whitepaper.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: SCEP Whitepaper -description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP. -ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b -author: pawinfie -ms.author: pawinfie -ms.date: 02/12/2020 -keywords: hololens, Windows Mixed Reality, security -ms.prod: hololens -ms.sitesec: library -ms.topic: article -audience: ITPro -ms.localizationpriority: high -ms.custom: -- CI 111456 -- CSSTroubleshooting -appliesto: -- HoloLens 1 (1st gen) -- HoloLens 2 ---- - -# SCEP whitepaper - -## High Level - -### How the SCEP Challenge PW is secured - -We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we've configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. - -We then pass that to the device and then the device generates it's CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. - -## Behind the scenes - -### Intune Connector has a number of responsibilities - -1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server. - -1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS. - -1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.** - >[!NOTE] - >The connector communication with Intune is strictly outbound traffic. - -1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself. - - 1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period. - >[!NOTE] - >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge - - 1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob. - - 1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device. - >[!NOTE] - >The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place. - - 1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune. - - 1. The mobile device must be enrolled in Intune. If not, we reject the request as well - - 1. The Intune connector disables the standard NDES challenge password request URL on the NDES server. - - 1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5. - >[!NOTE] - >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy. - - 1. The mobile device talks only to the NDES URI - - 1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet. - - 1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service. - >[!NOTE] - > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out. - -1. Connector traffic with Intune cloud service consists of the following operations: - - 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. - - 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors' SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won't be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. - -1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. diff --git a/devices/surface-hub/images/sccm-additional.png b/devices/surface-hub/images/configmgr-additional.png similarity index 100% rename from devices/surface-hub/images/sccm-additional.png rename to devices/surface-hub/images/configmgr-additional.png diff --git a/devices/surface-hub/images/sccm-create.png b/devices/surface-hub/images/configmgr-create.png similarity index 100% rename from devices/surface-hub/images/sccm-create.png rename to devices/surface-hub/images/configmgr-create.png diff --git a/devices/surface-hub/images/sccm-oma-uri.png b/devices/surface-hub/images/configmgr-oma-uri.png similarity index 100% rename from devices/surface-hub/images/sccm-oma-uri.png rename to devices/surface-hub/images/configmgr-oma-uri.png diff --git a/devices/surface-hub/images/sccm-platform.png b/devices/surface-hub/images/configmgr-platform.png similarity index 100% rename from devices/surface-hub/images/sccm-platform.png rename to devices/surface-hub/images/configmgr-platform.png diff --git a/devices/surface-hub/images/sccm-team.png b/devices/surface-hub/images/configmgr-team.png similarity index 100% rename from devices/surface-hub/images/sccm-team.png rename to devices/surface-hub/images/configmgr-team.png diff --git a/devices/surface-hub/index.yml b/devices/surface-hub/index.yml index 668c4b4a04..249deba5a0 100644 --- a/devices/surface-hub/index.yml +++ b/devices/surface-hub/index.yml @@ -25,17 +25,17 @@ highlightedContent: # itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new items: # Card - - title: What is Surface Hub 2S? - itemType: overview - url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Behind-the-design-Surface-Hub-2S/ba-p/464099 + - title: What's new in Surface Hub 2S? + itemType: whats-new + url: surface-hub-2s-whats-new.md # Card - title: Surface Hub security overview itemType: learn url: surface-hub-security.md - # Card - - title: What's new in Surface Hub 2S? - itemType: whats-new - url: surface-hub-2s-whats-new.md + # Card + - title: Manage Surface Hub 2S with Intune + itemType: how-to-guide + url: surface-hub-2s-manage-intune.md # Card - title: Operating system essentials itemType: learn diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index b3a74fc47d..5394d7c761 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -18,7 +18,7 @@ ms.localizationpriority: medium Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx). -Surface Hub has been validated with Microsoft’s first-party MDM providers: +Surface Hub has been validated with Microsoft's first-party MDM providers: - Microsoft Intune standalone - On-premises MDM with Microsoft Endpoint Configuration Manager @@ -65,25 +65,25 @@ For more information, see [SurfaceHub configuration service provider](https://ms | Maintenance hours | MaintenanceHoursSimple/Hours/StartTime
MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes | | Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes | | Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes | -| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager | Yes | +| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | | Device account, including password rotation | DeviceAccount/*``*
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | -| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set default volume | Properties/DefaultVolume | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set screen timeout | Properties/ScreenTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set session timeout | Properties/SessionTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set sleep timeout | Properties/SleepTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set default volume | Properties/DefaultVolume | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set screen timeout | Properties/ScreenTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set session timeout | Properties/SessionTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set sleep timeout | Properties/SleepTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -97,12 +97,12 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -110,15 +110,15 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -126,13 +126,13 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -140,7 +140,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | | Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | Yes | Yes | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -150,8 +150,8 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes | -| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -180,7 +180,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -188,7 +188,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -196,12 +196,12 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Generate OMA URIs for settings -You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. +You need to use a setting's OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. **To generate the OMA URI for any setting in the CSP documentation** 1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/`
@@ -217,15 +217,13 @@ The data type is also stated in the CSP documentation. The most common data type - bool (Boolean) - ## Example: Manage Surface Hub settings with Microsoft Intune You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**. - -## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager +## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs. > [!NOTE] @@ -238,26 +236,26 @@ Configuration Manager supports managing modern devices that do not require the C 3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item. 4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**. - ![example of UI](images/sccm-create.png) + ![example of UI](images/configmgr-create.png) 5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**. - ![select platform](images/sccm-platform.png) + ![select platform](images/configmgr-platform.png) 7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**. 8. On the **Windows 10 Team** page, configure the settings you require. - ![Windows 10 Team](images/sccm-team.png) + ![Windows 10 Team](images/configmgr-team.png) 9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**. - ![additional settings](images/sccm-additional.png) + ![additional settings](images/configmgr-additional.png) 10. On the **Additional Settings** page, click **Add**. 11. In the **Browse Settings** dialog, click **Create Setting**. 12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting. 13. Under **Setting type**, select **OMA URI**. 14. Complete the form to create a new setting, and then click **OK**. - ![OMA URI setting](images/sccm-oma-uri.png) + ![OMA URI setting](images/configmgr-oma-uri.png) 15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**. 16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**. 17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item. diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index a6e9524cd2..416610d656 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -1,6 +1,6 @@ --- title: Set up and use Microsoft Whiteboard -description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. +description: Microsoft Whiteboard's latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. ms.prod: surface-hub ms.sitesec: library author: dansimp @@ -14,7 +14,7 @@ ms.localizationpriority: medium # Set up and use Microsoft Whiteboard -The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices to collaborate in real time on the same board. +The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices with the Microsoft Whiteboard app installed to collaborate in real time on the same board. ## Prerequisites @@ -48,14 +48,16 @@ On the other device, such as a Surface Hub, when you are signed in, the shared b - You can also change the background color and design from solid to grid or dots. Pick the background, then choose the color from the wheel around it. - You can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working. +For more information, see [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d). + > [!NOTE] -> If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you’re done, tap **Settings** > **Export to email** or save a copy of the board. The SVG export provides higher resolution than PNG and can be opened in a web browser. +> If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you're done, tap **Settings** > **Export to email** or save a copy of the board. If you choose to export to SVG, it exports vector graphics and provides higher resolution than PNG and can be opened in a web browser. ## New features in Whiteboard The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a host of new features including: -- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery. +- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery. There is no local folder name or directory. - **Extended collaboration across devices** - You can collaborate using new apps for Windows 10 PC and iOS, and a web version for other devices. - **Richer canvas** - In addition to ink and images, Whiteboard now includes sticky notes, text and GIFs, with more objects coming soon. - **Intelligence** – In addition to ink to shape and table, Whiteboard now includes ink beautification to improve handwriting and ink grab to convert images to ink. @@ -68,3 +70,5 @@ The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a - [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub) - [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) + +- [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d) diff --git a/devices/surface/index.yml b/devices/surface/index.yml index 29bd13e5da..d9d7043dc2 100644 --- a/devices/surface/index.yml +++ b/devices/surface/index.yml @@ -24,17 +24,18 @@ additionalContent: - title: For IT Professionals # < 60 chars (optional) items: # Card - - title: Surface devices + - title: Surface devices documentation summary: Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization. url: https://docs.microsoft.com/en-us/surface/get-started # Card - - title: Surface Hub - summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices. + - title: Surface Hub documentation + summary: Learn how to deploy and manage Surface Hub 2S, the all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. url: https://docs.microsoft.com/surface-hub/index - # Card - - title: Surface for Business - summary: Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies. - url: https://www.microsoft.com/surface/business + # Card + - title: Surface Hub adoption guidance + summary: Get best practices for technical readiness and adoption across your lines of business. + url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit + - title: Other resources # < 60 chars (optional) items: # Card @@ -51,8 +52,7 @@ additionalContent: url: https://docs.microsoft.com/learn/browse/?term=Surface - text: Microsoft Mechanics Surface videos url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ - - text: Surface Hub 2S adoption and training - url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit + # Card - title: Need help? links: @@ -60,3 +60,5 @@ additionalContent: url: https://support.microsoft.com/products/surface-devices - text: Surface Hub url: https://support.microsoft.com/hub/4343507/surface-hub-help + - text: Contact Surface Hub Support + url: https://support.microsoft.com/supportforbusiness/productselection?sapId=bb7066fb-e329-c1c0-9c13-8e9949c6a64e diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 1a417a6bcd..7c84f5c0e4 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -29,7 +29,7 @@ Before you run the diagnostic tool, make sure you have the latest Windows update **To run the Surface Diagnostic Toolkit for Business:** -1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B). +1. Download the Surface Diagnostic Toolkit for Business. To do this, go to the [**Surface Tools for IT** download page](https://www.microsoft.com/download/details.aspx?id=46703), choose **Download**, select **Surface Diagnostic Toolkit for Business** from the provided list, and choose **Next**. 2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business). The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index d748891d49..f1fa0e58fa 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -1,5 +1,5 @@ --- -title: Microsoft Surface Dock Firmware Update +title: Microsoft Surface Dock Firmware Update - Technical information for IT administrators description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. ms.localizationpriority: medium ms.prod: w10 @@ -12,22 +12,31 @@ ms.reviewer: scottmca manager: dansimp ms.audience: itpro --- -# Microsoft Surface Dock Firmware Update - -This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. - -Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used. +# Microsoft Surface Dock Firmware Update: Technical information for IT administrators > [!IMPORTANT] ->Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. +> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network. + +This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. + +This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used. + +## Install the Surface Dock Firmware Update + +This section describes how to manually install the firmware update. + +> [!NOTE] +> Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. + +1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). + - The update requires a Surface device running Windows 10, version 1803 or later. + - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. + +2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. ## Monitor the Surface Dock Firmware Update -This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article: - - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) - - [Event logging](#event-logging) - - [Troubleshooting tips](#troubleshooting-tips) - - [Versions reference](#versions-reference) +This section is optional and provides an overview of how to monitor installation of the firmware update. To monitor the update: @@ -39,7 +48,6 @@ To monitor the update: Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" ``` 3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article. - 4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**. - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. 5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example: @@ -49,15 +57,11 @@ To monitor the update: >[!TIP] >If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored. -## Install the Surface Dock Firmware Update - -This section describes how to install the firmware update. - -1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). - - The update requires a Surface device running Windows 10, version 1803 or later. - - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. - -2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. +Also see the following sections in this article: + - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) + - [Event logging](#event-logging) + - [Troubleshooting tips](#troubleshooting-tips) + - [Versions reference](#versions-reference) ## Network deployment diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index 062008fc1e..9c7b32f336 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -39,6 +39,7 @@ System Model and System SKU are variables that are stored in the System Manageme | Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial | | Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer | | Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | +| Surface Laptop | Surface Laptop | Surface_Laptop | | Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | | Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial | | Surface Pro 7 | Surface Pro 7 | Surface_Pro_7_1866 | diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index fed3ff8374..7e016c22c0 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -34,8 +34,12 @@ Many schools use online testing for formative and summative assessments. It's cr ![Set up and user flow for the Take a Test app](images/take_a_test_flow_dark.png) -There are several ways to configure devices for assessments. You can: -- **Configure an assessment URL and a dedicated testing account** +There are several ways to configure devices for assessments, depending on your use case: + +- For higher stakes testing such as mid-term exams, you can set up a device with a dedicated testing account and URL. +- For lower stakes assessments such as a quick quiz in a class, you can quickly create and distribute the assessment URL through any method of your choosing. + +1. **Configure an assessment URL and a dedicated testing account** In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. @@ -58,9 +62,9 @@ There are several ways to configure devices for assessments. You can: For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md). -- **Distribute the assessment URL through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link** +2. **Create and distribute the assessment URL through the web, email, OneNote, or any other method** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. + This allows teachers and test administrators an easier way to deploy assessments quickly and simply. We recommend this method for lower stakes assessments. You can also create shortcuts to distribute the link. You can enable this using a schema activation. diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md index a6aa8d9fd8..7785be89ee 100644 --- a/mdop/appv-v5/app-v-51-supported-configurations.md +++ b/mdop/appv-v5/app-v-51-supported-configurations.md @@ -10,18 +10,16 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 09/27/2016 +ms.date: 04/02/2020 --- # App-V 5.1 Supported Configurations - This topic specifies the requirements to install and run Microsoft Application Virtualization (App-V) 5.1 in your environment. ## App-V Server system requirements - This section lists the operating system and hardware requirements for all of the App-V Server components. ### Unsupported App-V 5.1 Server scenarios @@ -151,7 +149,7 @@ The following table lists the SQL Server versions that are supported for the App - +For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f). ### Publishing server operating system requirements @@ -309,7 +307,6 @@ The following table lists the SQL Server versions that are supported for the App ## App-V client system requirements - The following table lists the operating systems that are supported for the App-V 5.1 client installation. **Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client @@ -422,7 +419,6 @@ App-V adds no additional requirements beyond those of Windows Server. ## Sequencer system requirements - The following table lists the operating systems that are supported for the App-V 5.1 Sequencer installation. @@ -485,7 +481,6 @@ See the Windows or Windows Server documentation for the hardware requirements. A ## Supported versions of System Center Configuration Manager - The App-V client supports the following versions of System Center Configuration Manager: - Microsoft System Center 2012 Configuration Manager @@ -549,23 +544,8 @@ The following App-V and System Center Configuration Manager version matrix shows For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx). - - - - - ## Related topics - [Planning to Deploy App-V](planning-to-deploy-app-v51.md) [App-V 5.1 Prerequisites](app-v-51-prerequisites.md) - - - - - - - - - diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index a39eca9e4d..ebab019584 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -51,12 +51,15 @@ The following table lists the SQL Server versions that the App-V Management data |SQL Server version|Service pack|System architecture| |---|---|---| +|Microsoft SQL Server 2019||32-bit or 64-bit| |Microsoft SQL Server 2017||32-bit or 64-bit| |Microsoft SQL Server 2016|SP2|32-bit or 64-bit| |Microsoft SQL Server 2014||32-bit or 64-bit| |Microsoft SQL Server 2012|SP2|32-bit or 64-bit| |Microsoft SQL Server 2008 R2|SP3|32-bit or 64-bit| +For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f). + ### Publishing server operating system requirements The App-V Publishing server can be installed on a server that runs Windows Server 2008 R2 with SP1 or later. diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md index 6601e238eb..52a10357c5 100644 --- a/windows/client-management/generate-kernel-or-complete-crash-dump.md +++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium ms.author: delhan ms.date: 8/28/2019 ms.reviewer: -manager: dcscontentpm +manager: willchen --- # Generate a kernel or complete crash dump @@ -61,7 +61,7 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi 2. Select **Start**, and then select **Command Prompt**. 3. At the command line, run the following command: - ```cmd + ```console notMyfault.exe /crash ``` @@ -80,6 +80,7 @@ To do this, follow these steps: > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. 1. In Registry Editor, locate the following registry subkey: + **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl** 2. Right-click **CrashControl**, point to **New**, and then click **DWORD Value**. @@ -101,6 +102,8 @@ To do this, follow these steps: 9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction. +If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](https://docs.microsoft.com/azure/virtual-machines/linux/serial-console-nmi-sysrq). + ### Use the keyboard [Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard) @@ -108,4 +111,3 @@ To do this, follow these steps: ### Use Debugger [Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger) - diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index d6d6a9fc16..40de22d2b3 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 04/17/2018 +ms.date: 03/27/2020 ms.reviewer: manager: dansimp --- @@ -39,6 +39,9 @@ Available naming macros: Supported operation is Add. +> [!Note] +> For desktop PCs on the next major release of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). + **Users** Interior node for the user account information. diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 24d475d6e4..413f6d9c1e 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -9,7 +9,6 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 09/05/2017 --- # Azure Active Directory integration with MDM @@ -37,7 +36,8 @@ Windows 10 introduces a new way to configure and deploy corporate owned Windows Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD. -> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. +> [!IMPORTANT] +> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. ### BYOD scenario @@ -60,7 +60,8 @@ For Azure AD enrollment to work for an Active Directory Federated Services (AD F Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. -> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. +> [!NOTE] +> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. ### MDM endpoints involved in Azure AD integrated enrollment @@ -80,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use **Terms of Use endpoint** Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. -It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies). +It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies). The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. @@ -103,7 +104,8 @@ A cloud-based MDM is a SaaS application that provides device management capabili The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). -> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. +> [!NOTE] +> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs. @@ -136,7 +138,7 @@ For more information about how to register a sample application with Azure AD, s An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD. -The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use. +To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use. Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. @@ -236,7 +238,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is - + @@ -343,14 +345,14 @@ The following claims are expected in the access token passed by Windows to the T
CXH-HOST (HTTP HEADER)SenarioScenario Background Theme WinJS Scenario CSS
-> Note There is no device ID claim in the access token because the device may not yet be enrolled at this time. +> [!NOTE] +> There is no device ID claim in the access token because the device may not yet be enrolled at this time. - To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). Here's an example URL. -``` syntax +```console https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 Authorization: Bearer eyJ0eXAiOi ``` @@ -390,7 +392,7 @@ If an error was encountered during the terms of use processing, the MDM can retu Here is the URL format: -``` syntax +```console HTTP/1.1 302 Location: ?error=access_denied&error_description=Access%20is%20denied%2E @@ -426,7 +428,7 @@ The following table shows the error codes.

unsupported version

-

Tenant or user data are missingor other required prerequisites for device enrollment are not met

+

Tenant or user data are missing or other required prerequisites for device enrollment are not met

302

unauthorized_client

unauthorized user or tenant

@@ -601,7 +603,7 @@ In this scenario, the MDM enrollment applies to a single user who initially adde **Evaluating Azure AD user tokens** The Azure AD token is in the HTTP Authorization header in the following format: -``` syntax +```console Authorization:Bearer ``` @@ -621,7 +623,7 @@ Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example: -``` syntax +```xml Alert Type: com.microsoft/MDM/AADUserToken Alert sample: @@ -636,7 +638,7 @@ Alert sample: UserToken inserted here - … other xml tags … + … other XML tags … ``` @@ -665,7 +667,7 @@ Here's an example. user - … other xml tags … + … other XML tags … ``` @@ -682,9 +684,10 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it. -> **Note**  This is only applicable for approved MDM apps on Windows 10 devices. +> [!NOTE] +> This is only applicable for approved MDM apps on Windows 10 devices. -``` syntax +```console Sample Graph API Request: PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 @@ -713,7 +716,7 @@ Response: When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenerollment](images/azure-ad-unenrollment.png) +![aadj unenrollment](images/azure-ad-unenrollment.png) ## Error codes @@ -921,4 +924,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di - diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 9292eb002c..859ffd1672 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 07/11/2018 +ms.date: 03/27/2020 --- # DevDetail CSP @@ -29,121 +29,136 @@ The following diagram shows the DevDetail configuration service provider managem ![devdetail csp (dm)](images/provisioning-csp-devdetail-dm.png) **DevTyp** -

Required. Returns the device model name /SystemProductName as a string. +Required. Returns the device model name /SystemProductName as a string. -

Supported operation is Get. +Supported operation is Get. **OEM** -

Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2. +Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2. -

Supported operation is Get. +Supported operation is Get. **FwV** -

Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision. +Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision. -

For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. +For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. -

Supported operation is Get. +Supported operation is Get. **SwV** -

Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge. +Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge. -

Supported operation is Get. +Supported operation is Get. **HwV** -

Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision. +Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision. -

For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. +For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. -

Supported operation is Get. +Supported operation is Get. **LrgObj** -

Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2. +Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2. -

Supported operation is Get. +Supported operation is Get. **URI/MaxDepth** -

Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0). +Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0). -

Supported operation is Get. +Supported operation is Get. -

This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth. +This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth. **URI/MaxTotLen** -

Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0). +Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0). -

Supported operation is Get. +Supported operation is Get. -

This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length. +This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length. **URI/MaxSegLen** -

Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0). +Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0). -

Supported operation is Get. +Supported operation is Get. -

This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length. +This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length. **Ext/Microsoft/MobileID** -

Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support. +Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support. -

Supported operation is Get. +Supported operation is Get. -

The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element. - -**Ext/Microsoft/LocalTime** -

Required. Returns the client local time in ISO 8601 format. - -

Supported operation is Get. - -**Ext/Microsoft/OSPlatform** -

Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName. - -

Supported operation is Get. - -**Ext/Microsoft/ProcessorType** -

Required. Returns the processor type of the device as documented in SYSTEM_INFO. - -

Supported operation is Get. +The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element. **Ext/Microsoft/RadioSwV** -

Required. Returns the radio stack software version number. +Required. Returns the radio stack software version number. -

Supported operation is Get. +Supported operation is Get. **Ext/Microsoft/Resolution** -

Required. Returns the UI screen resolution of the device (example: "480x800"). +Required. Returns the UI screen resolution of the device (example: "480x800"). -

Supported operation is Get. +Supported operation is Get. **Ext/Microsoft/CommercializationOperator** -

Required. Returns the name of the mobile operator if it exists; otherwise it returns 404.. +Required. Returns the name of the mobile operator if it exists; otherwise it returns 404.. -

Supported operation is Get. +Supported operation is Get. **Ext/Microsoft/ProcessorArchitecture** -

Required. Returns the processor architecture of the device as "arm" or "x86". +Required. Returns the processor architecture of the device as "arm" or "x86". -

Supported operation is Get. +Supported operation is Get. + +**Ext/Microsoft/ProcessorType** +Required. Returns the processor type of the device as documented in SYSTEM_INFO. + +Supported operation is Get. + +**Ext/Microsoft/OSPlatform** +Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName. + +Supported operation is Get. + +**Ext/Microsoft/LocalTime** +Required. Returns the client local time in ISO 8601 format. + +Supported operation is Get. **Ext/Microsoft/DeviceName** -

Required. Contains the user-specified device name. +Required. Contains the user-specified device name. -

Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs. +Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs. -

Value type is string. +Value type is string. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. + +**Ext/Microsoft/DNSComputerName** +Added in the next major release of Windows 10. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). + +The following are the available naming macros: + +| Macro | Description | Example | Generated Name | +| -------| -------| -------| -------| +| %RAND:<# of digits> | Generates the specified number of random digits. | Test%RAND:6% | Test123456| +| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| Test-Device-%SERIAL% | Test-Device-456| + +Value type is string. Supported operations are Get and Replace. + +> [!Note] +> On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer"s` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**. **Ext/Microsoft/TotalStorage** -

Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage). +Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage). -

Supported operation is Get. +Supported operation is Get. > [!NOTE] > This is only supported in Windows 10 Mobile. **Ext/Microsoft/TotalRAM** -

Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory). +Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory). Supported operation is Get. @@ -153,45 +168,45 @@ Added in Windows 10, version 1809. SMBIOS Serial Number of the device. Value type is string. Supported operation is Get. **Ext/WLANMACAddress** -

The MAC address of the active WLAN connection, as a 12-digit hexadecimal number. +The MAC address of the active WLAN connection, as a 12-digit hexadecimal number. -

Supported operation is Get. +Supported operation is Get. > [!NOTE] > This is not supported in Windows 10 for desktop editions. **Ext/VoLTEServiceSetting** -

Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers. +Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers. -

Supported operation is Get. +Supported operation is Get. **Ext/WlanIPv4Address** -

Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers. +Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers. -

Supported operation is Get. +Supported operation is Get. **Ext/WlanIPv6Address** -

Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. +Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. -

Supported operation is Get. +Supported operation is Get. **Ext/WlanDnsSuffix** -

Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. +Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. -

Supported operation is Get. +Supported operation is Get. **Ext/WlanSubnetMask** -

Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. +Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. -

Supported operation is Get. +Supported operation is Get. **Ext/DeviceHardwareData** -

Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device. +Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device. > [!NOTE] > This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information. -

Supported operation is Get. +Supported operation is Get. ## Related topics diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index b313ad3605..47df0219d5 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -21,7 +21,7 @@ This topic shows the OMA DM device description framework (DDF) for the **DevDeta Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1809. +The XML below is the current version for this CSP. ```xml @@ -488,6 +488,28 @@ The XML below is for Windows 10, version 1809. + + DNSComputerName + + + + + + This node specifies the DNS name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards. + + + + + + + + + + + text/plain + + + TotalStorage diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png index 6926801241..6ece851369 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index f32917cdbc..adf4eb44d5 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -74,7 +74,7 @@ manager: dansimp -Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). +Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). The system settings require a reboot; the application settings do not require a reboot. diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 959f35a071..8053b57d73 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/24/2020 +ms.date: 04/07/2020 ms.reviewer: manager: dansimp @@ -149,6 +149,8 @@ where: The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured. +> [!Note] +> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a local group as a member to another local group by using the member portion, as shown in the above example. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index a55e6716ff..c5e74893fc 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1025,6 +1025,7 @@ To validate on Desktop, do the following: [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] +> * User > * Device

diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index c485382b9e..25159c3271 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -53,17 +53,17 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s - Grant an user right to multiple groups (Administrators, Authenticated Users) via SID ``` - *S-1-5-32-544*S-1-5-11 + *S-1-5-32-544*S-1-5-11 ``` - Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings ``` - *S-1-5-32-544Authenticated Users + *S-1-5-32-544Authenticated Users ``` - Grant an user right to multiple groups (Authenticated Users, Administrators) via strings ``` - Authenticated UsersAdministrators + Authenticated UsersAdministrators ``` - Empty input indicates that there are no users configured to have that user right diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 70668fa9de..e7cb92b9c4 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -45,12 +45,16 @@ Setting a null (empty) date will delete the existing schedule. In accordance wit

The supported operations are Get, Add, Replace, and Delete.

+

The supported data type is "String".

+ **Schedule/DailyRecurrent**

This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
Example to configure: 2018-10-25T18:00:00

The supported operations are Get, Add, Replace, and Delete.

+

The supported data type is "String".

+ ## Related topics diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 1c13aa99ad..eecc7c7075 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -175,6 +175,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + diff --git a/windows/configuration/images/sccm-asset.PNG b/windows/configuration/images/configmgr-asset.PNG similarity index 100% rename from windows/configuration/images/sccm-asset.PNG rename to windows/configuration/images/configmgr-asset.PNG diff --git a/windows/configuration/images/sccm-assets.PNG b/windows/configuration/images/configmgr-assets.PNG similarity index 100% rename from windows/configuration/images/sccm-assets.PNG rename to windows/configuration/images/configmgr-assets.PNG diff --git a/windows/configuration/images/sccm-client.PNG b/windows/configuration/images/configmgr-client.PNG similarity index 100% rename from windows/configuration/images/sccm-client.PNG rename to windows/configuration/images/configmgr-client.PNG diff --git a/windows/configuration/images/sccm-collection.PNG b/windows/configuration/images/configmgr-collection.PNG similarity index 100% rename from windows/configuration/images/sccm-collection.PNG rename to windows/configuration/images/configmgr-collection.PNG diff --git a/windows/configuration/images/sccm-install-os.PNG b/windows/configuration/images/configmgr-install-os.PNG similarity index 100% rename from windows/configuration/images/sccm-install-os.PNG rename to windows/configuration/images/configmgr-install-os.PNG diff --git a/windows/configuration/images/sccm-post-refresh.PNG b/windows/configuration/images/configmgr-post-refresh.PNG similarity index 100% rename from windows/configuration/images/sccm-post-refresh.PNG rename to windows/configuration/images/configmgr-post-refresh.PNG diff --git a/windows/configuration/images/sccm-pxe.PNG b/windows/configuration/images/configmgr-pxe.PNG similarity index 100% rename from windows/configuration/images/sccm-pxe.PNG rename to windows/configuration/images/configmgr-pxe.PNG diff --git a/windows/configuration/images/sccm-site.PNG b/windows/configuration/images/configmgr-site.PNG similarity index 100% rename from windows/configuration/images/sccm-site.PNG rename to windows/configuration/images/configmgr-site.PNG diff --git a/windows/configuration/images/sccm-software-cntr.PNG b/windows/configuration/images/configmgr-software-cntr.PNG similarity index 100% rename from windows/configuration/images/sccm-software-cntr.PNG rename to windows/configuration/images/configmgr-software-cntr.PNG diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 391961e1bd..d4e56af1b7 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -103,15 +103,16 @@ ##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md) ### Deploy Windows 10 with Microsoft Endpoint Configuration Manager -#### [Prepare for Windows 10 deployment with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -#### Deploy Windows 10 with Configuration Manager +#### Prepare for Windows 10 deployment with Configuration Manager +##### [Prepare for Zero Touch Installation with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) ##### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) ##### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md) ##### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) ##### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) ##### [Create a task sequence with Configuration Manager and MDT](deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md) ##### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) + +#### Deploy Windows 10 with Configuration Manager ##### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md) ##### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) ##### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) @@ -245,13 +246,20 @@ ### Monitor Windows Updates #### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) #### [Get started with Update Compliance](update/update-compliance-get-started.md) +##### [Update Compliance Configuration Script](update/update-compliance-configuration-script.md) +##### [Manually Configuring Devices for Update Compliance](update/update-compliance-configuration-manual.md) #### [Use Update Compliance](update/update-compliance-using.md) ##### [Need Attention! report](update/update-compliance-need-attention.md) ##### [Security Update Status report](update/update-compliance-security-update-status.md) ##### [Feature Update Status report](update/update-compliance-feature-update-status.md) -##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md) ##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md) -##### [Update Compliance Perspectives](update/update-compliance-perspectives.md) +##### [Data Handling and Privacy in Update Compliance](update/update-compliance-privacy.md) +##### [Update Compliance Schema Reference](update/update-compliance-schema.md) +###### [WaaSUpdateStatus](update/update-compliance-schema-waasupdatestatus.md) +###### [WaaSInsiderStatus](update/update-compliance-schema-waasinsiderstatus.md) +###### [WaaSDeploymentStatus](update/update-compliance-schema-waasdeploymentstatus.md) +###### [WUDOStatus](update/update-compliance-schema-wudostatus.md) +###### [WUDOAggregatedStatus](update/update-compliance-schema-wudoaggregatedstatus.md) ### Best practices #### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) #### [Update Windows 10 media with Dynamic Update](update/media-dynamic-update.md) diff --git a/windows/deployment/deploy-windows-cm/TOC.md b/windows/deployment/deploy-windows-cm/TOC.md index daaec1091b..b26445c4ab 100644 --- a/windows/deployment/deploy-windows-cm/TOC.md +++ b/windows/deployment/deploy-windows-cm/TOC.md @@ -1,13 +1,14 @@ # Deploy Windows 10 with Microsoft Endpoint Configuration Manager -## [Prepare for Windows 10 deployment with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -## Deploy Windows 10 with Configuration Manager +## Prepare for Windows 10 deployment with Configuration Manager +### [Prepare for Zero Touch Installation with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) ### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) ### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) ### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) ### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) ### [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md) ### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) + +## Deploy Windows 10 with Configuration Manager ### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) ### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 19ebb6ea7b..a5ea3f78c2 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -21,7 +21,16 @@ ms.topic: article - Windows 10 -In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001. +In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. + +This topic assumes that you have completed the following prerequisite procedures: +- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) +- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) +- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) +- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) +- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) +- [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md) +- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS). @@ -36,10 +45,8 @@ All servers are running Windows Server 2019. However, an earlier, supported vers All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). - >[!NOTE] ->No WDS console configuration required for PXE to work. Everything is done with the Configuration Manager console. +>No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. ## Procedures @@ -52,7 +59,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is * Install the Windows 10 operating system. * Install the Configuration Manager client and the client hotfix. - * Join the machine to the domain. + * Join the computer to the domain. * Install the application added to the task sequence. >[!NOTE] diff --git a/windows/deployment/images/sccm-asset.PNG b/windows/deployment/images/configmgr-asset.png similarity index 100% rename from windows/deployment/images/sccm-asset.PNG rename to windows/deployment/images/configmgr-asset.png diff --git a/windows/deployment/images/sccm-assets.PNG b/windows/deployment/images/configmgr-assets.png similarity index 100% rename from windows/deployment/images/sccm-assets.PNG rename to windows/deployment/images/configmgr-assets.png diff --git a/windows/deployment/images/sccm-client.PNG b/windows/deployment/images/configmgr-client.PNG similarity index 100% rename from windows/deployment/images/sccm-client.PNG rename to windows/deployment/images/configmgr-client.PNG diff --git a/windows/deployment/images/sccm-collection.PNG b/windows/deployment/images/configmgr-collection.PNG similarity index 100% rename from windows/deployment/images/sccm-collection.PNG rename to windows/deployment/images/configmgr-collection.PNG diff --git a/windows/deployment/images/sccm-install-os.PNG b/windows/deployment/images/configmgr-install-os.PNG similarity index 100% rename from windows/deployment/images/sccm-install-os.PNG rename to windows/deployment/images/configmgr-install-os.PNG diff --git a/windows/deployment/images/sccm-post-refresh.PNG b/windows/deployment/images/configmgr-post-refresh.PNG similarity index 100% rename from windows/deployment/images/sccm-post-refresh.PNG rename to windows/deployment/images/configmgr-post-refresh.PNG diff --git a/windows/deployment/images/sccm-pxe.PNG b/windows/deployment/images/configmgr-pxe.PNG similarity index 100% rename from windows/deployment/images/sccm-pxe.PNG rename to windows/deployment/images/configmgr-pxe.PNG diff --git a/windows/deployment/images/sccm-site.PNG b/windows/deployment/images/configmgr-site.PNG similarity index 100% rename from windows/deployment/images/sccm-site.PNG rename to windows/deployment/images/configmgr-site.PNG diff --git a/windows/deployment/images/sccm-software-cntr.PNG b/windows/deployment/images/configmgr-software-cntr.PNG similarity index 100% rename from windows/deployment/images/sccm-software-cntr.PNG rename to windows/deployment/images/configmgr-software-cntr.PNG diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 580e42db27..45e00f7007 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -233,7 +233,7 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr 1. Disk validation is performed. 2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist. 3. UEFI boot files are installed to the ESP. -4. GPT metatdata and layout information is applied. +4. GPT metadata and layout information is applied. 5. The boot configuration data (BCD) store is updated. 6. Drive letter assignments are restored. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 520d6cc598..5a34226e0f 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -21,7 +21,8 @@ The features described below are no longer being actively developed, and might b **The following list is subject to change and might not include every affected feature or functionality.** ->If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). +> [!NOTE] +> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). |Feature | Details and mitigation | Announced in version | | ----------- | --------------------- | ---- | @@ -47,7 +48,6 @@ The features described below are no longer being actively developed, and might b |Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
 
The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 | |IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 | |IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 | -|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 | |RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 | |Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 | |Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 | @@ -63,4 +63,4 @@ The features described below are no longer being actively developed, and might b |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 | -|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quite switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| +|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 3063058112..1c93c41731 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -18,7 +18,7 @@ ms.topic: article Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.** -For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md) +For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md). > [!NOTE] > Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself. @@ -50,12 +50,13 @@ The following features and functionalities have been removed from the installed |Reading List | Functionality to be integrated into Microsoft Edge. | 1709 | |Screen saver functionality in Themes | This functionality is disabled in Themes, and classified as **Removed** in this table. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 | |Syskey.exe | Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). | 1709 | -|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193).| 1709 | +|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 | |Tile Data Layer |To be replaced by the Tile Store.| 1709 | +|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 | |Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 | |By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 | |Interactive Service Detection Service| See [Interactive Services](https://docs.microsoft.com/windows/win32/services/interactive-services?redirectedfrom=MSDN) for guidance on how to keep software up to date. | 1703 | |Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 | |NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 | |Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 | -|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 | \ No newline at end of file +|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 | diff --git a/windows/deployment/update/images/UC-vid-crop.jpg b/windows/deployment/update/images/UC-vid-crop.jpg deleted file mode 100644 index 47e74febbc..0000000000 Binary files a/windows/deployment/update/images/UC-vid-crop.jpg and /dev/null differ diff --git a/windows/deployment/update/images/UC_00_marketplace_search.PNG b/windows/deployment/update/images/UC_00_marketplace_search.PNG deleted file mode 100644 index dcdf25d38a..0000000000 Binary files a/windows/deployment/update/images/UC_00_marketplace_search.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_01_marketplace_create.PNG b/windows/deployment/update/images/UC_01_marketplace_create.PNG deleted file mode 100644 index 4b34311112..0000000000 Binary files a/windows/deployment/update/images/UC_01_marketplace_create.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_02_workspace_create.PNG b/windows/deployment/update/images/UC_02_workspace_create.PNG deleted file mode 100644 index ed3eeeebbb..0000000000 Binary files a/windows/deployment/update/images/UC_02_workspace_create.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_03_workspace_select.PNG b/windows/deployment/update/images/UC_03_workspace_select.PNG deleted file mode 100644 index d00864b861..0000000000 Binary files a/windows/deployment/update/images/UC_03_workspace_select.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG deleted file mode 100644 index 3ea9f57531..0000000000 Binary files a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_commercialID.png b/windows/deployment/update/images/UC_commercialID.png deleted file mode 100644 index 6896be03e6..0000000000 Binary files a/windows/deployment/update/images/UC_commercialID.png and /dev/null differ diff --git a/windows/deployment/update/images/UC_commercialID_GP.png b/windows/deployment/update/images/UC_commercialID_GP.png deleted file mode 100644 index 95d92cf6df..0000000000 Binary files a/windows/deployment/update/images/UC_commercialID_GP.png and /dev/null differ diff --git a/windows/deployment/update/images/UC_telemetrylevel.png b/windows/deployment/update/images/UC_telemetrylevel.png deleted file mode 100644 index a11e68a5f8..0000000000 Binary files a/windows/deployment/update/images/UC_telemetrylevel.png and /dev/null differ diff --git a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG deleted file mode 100644 index 40dcaef949..0000000000 Binary files a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-01-wdav.png b/windows/deployment/update/images/uc-01-wdav.png deleted file mode 100644 index c0ef37ebc6..0000000000 Binary files a/windows/deployment/update/images/uc-01-wdav.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-01.png b/windows/deployment/update/images/uc-01.png deleted file mode 100644 index 7f4df9f6d7..0000000000 Binary files a/windows/deployment/update/images/uc-01.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-02.png b/windows/deployment/update/images/uc-02.png deleted file mode 100644 index 8317f051c3..0000000000 Binary files a/windows/deployment/update/images/uc-02.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-02a.png b/windows/deployment/update/images/uc-02a.png deleted file mode 100644 index d12544e3a0..0000000000 Binary files a/windows/deployment/update/images/uc-02a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-03.png b/windows/deployment/update/images/uc-03.png deleted file mode 100644 index 58494c4128..0000000000 Binary files a/windows/deployment/update/images/uc-03.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-03a.png b/windows/deployment/update/images/uc-03a.png deleted file mode 100644 index 39412fc8f3..0000000000 Binary files a/windows/deployment/update/images/uc-03a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-04.png b/windows/deployment/update/images/uc-04.png deleted file mode 100644 index ef9a37d379..0000000000 Binary files a/windows/deployment/update/images/uc-04.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-04a.png b/windows/deployment/update/images/uc-04a.png deleted file mode 100644 index 537d4bbe72..0000000000 Binary files a/windows/deployment/update/images/uc-04a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-05.png b/windows/deployment/update/images/uc-05.png deleted file mode 100644 index 21c8e9f9e0..0000000000 Binary files a/windows/deployment/update/images/uc-05.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-05a.png b/windows/deployment/update/images/uc-05a.png deleted file mode 100644 index 2271181622..0000000000 Binary files a/windows/deployment/update/images/uc-05a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-06.png b/windows/deployment/update/images/uc-06.png deleted file mode 100644 index 03a559800b..0000000000 Binary files a/windows/deployment/update/images/uc-06.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-06a.png b/windows/deployment/update/images/uc-06a.png deleted file mode 100644 index 15df1cfea0..0000000000 Binary files a/windows/deployment/update/images/uc-06a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-07.png b/windows/deployment/update/images/uc-07.png deleted file mode 100644 index de1ae35e82..0000000000 Binary files a/windows/deployment/update/images/uc-07.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-07a.png b/windows/deployment/update/images/uc-07a.png deleted file mode 100644 index c0f2d9fd73..0000000000 Binary files a/windows/deployment/update/images/uc-07a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-08.png b/windows/deployment/update/images/uc-08.png deleted file mode 100644 index 877fcd64c0..0000000000 Binary files a/windows/deployment/update/images/uc-08.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-08a.png b/windows/deployment/update/images/uc-08a.png deleted file mode 100644 index 89da287d3d..0000000000 Binary files a/windows/deployment/update/images/uc-08a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-09.png b/windows/deployment/update/images/uc-09.png deleted file mode 100644 index 37d7114f19..0000000000 Binary files a/windows/deployment/update/images/uc-09.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-09a.png b/windows/deployment/update/images/uc-09a.png deleted file mode 100644 index f6b6ec5b60..0000000000 Binary files a/windows/deployment/update/images/uc-09a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-10.png b/windows/deployment/update/images/uc-10.png deleted file mode 100644 index ea065590b9..0000000000 Binary files a/windows/deployment/update/images/uc-10.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-10a.png b/windows/deployment/update/images/uc-10a.png deleted file mode 100644 index 1c6b8b01dc..0000000000 Binary files a/windows/deployment/update/images/uc-10a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-11.png b/windows/deployment/update/images/uc-11.png deleted file mode 100644 index 8b4fc568ea..0000000000 Binary files a/windows/deployment/update/images/uc-11.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-12.png b/windows/deployment/update/images/uc-12.png deleted file mode 100644 index 4198684c99..0000000000 Binary files a/windows/deployment/update/images/uc-12.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-13.png b/windows/deployment/update/images/uc-13.png deleted file mode 100644 index 117f9b9fd8..0000000000 Binary files a/windows/deployment/update/images/uc-13.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-14.png b/windows/deployment/update/images/uc-14.png deleted file mode 100644 index 66047984e7..0000000000 Binary files a/windows/deployment/update/images/uc-14.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-15.png b/windows/deployment/update/images/uc-15.png deleted file mode 100644 index c241cd9117..0000000000 Binary files a/windows/deployment/update/images/uc-15.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-16.png b/windows/deployment/update/images/uc-16.png deleted file mode 100644 index e7aff4d4ed..0000000000 Binary files a/windows/deployment/update/images/uc-16.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-17.png b/windows/deployment/update/images/uc-17.png deleted file mode 100644 index cb8e42ca5e..0000000000 Binary files a/windows/deployment/update/images/uc-17.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-18.png b/windows/deployment/update/images/uc-18.png deleted file mode 100644 index 5eff59adc9..0000000000 Binary files a/windows/deployment/update/images/uc-18.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-19.png b/windows/deployment/update/images/uc-19.png deleted file mode 100644 index 791900eafc..0000000000 Binary files a/windows/deployment/update/images/uc-19.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-20.png b/windows/deployment/update/images/uc-20.png deleted file mode 100644 index 7dbb027b9f..0000000000 Binary files a/windows/deployment/update/images/uc-20.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-21.png b/windows/deployment/update/images/uc-21.png deleted file mode 100644 index 418db41fe4..0000000000 Binary files a/windows/deployment/update/images/uc-21.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-22.png b/windows/deployment/update/images/uc-22.png deleted file mode 100644 index 2ca5c47a61..0000000000 Binary files a/windows/deployment/update/images/uc-22.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-23.png b/windows/deployment/update/images/uc-23.png deleted file mode 100644 index 58b82db82d..0000000000 Binary files a/windows/deployment/update/images/uc-23.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-24.png b/windows/deployment/update/images/uc-24.png deleted file mode 100644 index 00bc61e3e1..0000000000 Binary files a/windows/deployment/update/images/uc-24.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-25.png b/windows/deployment/update/images/uc-25.png deleted file mode 100644 index 4e0f0bdb03..0000000000 Binary files a/windows/deployment/update/images/uc-25.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-DO-status.png b/windows/deployment/update/images/uc-DO-status.png deleted file mode 100644 index d4b47be324..0000000000 Binary files a/windows/deployment/update/images/uc-DO-status.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-emptyworkspacetile.PNG b/windows/deployment/update/images/uc-emptyworkspacetile.PNG deleted file mode 100644 index 24c37d4279..0000000000 Binary files a/windows/deployment/update/images/uc-emptyworkspacetile.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-featureupdatestatus.PNG b/windows/deployment/update/images/uc-featureupdatestatus.PNG deleted file mode 100644 index ae6a38502f..0000000000 Binary files a/windows/deployment/update/images/uc-featureupdatestatus.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-filledworkspacetile.PNG b/windows/deployment/update/images/uc-filledworkspacetile.PNG deleted file mode 100644 index 7293578b1a..0000000000 Binary files a/windows/deployment/update/images/uc-filledworkspacetile.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-filledworkspaceview.PNG b/windows/deployment/update/images/uc-filledworkspaceview.PNG deleted file mode 100644 index 8d99e52e02..0000000000 Binary files a/windows/deployment/update/images/uc-filledworkspaceview.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-needattentionoverview.PNG b/windows/deployment/update/images/uc-needattentionoverview.PNG deleted file mode 100644 index 50b6d04699..0000000000 Binary files a/windows/deployment/update/images/uc-needattentionoverview.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-overviewblade.PNG b/windows/deployment/update/images/uc-overviewblade.PNG deleted file mode 100644 index dca364daf6..0000000000 Binary files a/windows/deployment/update/images/uc-overviewblade.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png deleted file mode 100644 index f52087a4a7..0000000000 Binary files a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-securityupdatestatus.PNG b/windows/deployment/update/images/uc-securityupdatestatus.PNG deleted file mode 100644 index 75e9d10fd8..0000000000 Binary files a/windows/deployment/update/images/uc-securityupdatestatus.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG deleted file mode 100644 index e3f6990348..0000000000 Binary files a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG and /dev/null differ diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md new file mode 100644 index 0000000000..fc22965271 --- /dev/null +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -0,0 +1,77 @@ +--- +title: Manually configuring devices for Update Compliance +ms.reviewer: +manager: laurawi +description: Manually configuring devices for Update Compliance +keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Manually Configuring Devices for Update Compliance + +There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. + +The requirements are separated into different categories: + +1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. +2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations. +3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. + +## Required policies + +> [!NOTE] +> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md). + +Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: + +- **Policy** corresponds to the location and name of the policy. +- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional). +- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any. + +### Mobile Device Management policies + +Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details. + +| Policy | Value | Function | +|---------------------------|-|------------------------------------------------------------| +|**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | +|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |1- Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. | +|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | Disable Telemetry opt-in Settings | (*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. | +|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | + +### Group Policies + +All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below. + +| Policy | Value | Function | +|---------------------------|-|-----------------------------------------------------------| +|**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. | +|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. | +|**Configure telemetry opt-in setting user interface** | Disable telemetry opt-in Settings |(*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. | +|**Allow device name to be sent in Windows diagnostic data** | Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | + +## Required endpoints + +To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints. + +| **Endpoint** | **Function** | +|---------------------------------------------------------|-----------| +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. Census.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. | +| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | +| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. | +| `http://adl.windows.com` | Required for Windows Update functionality. | +| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. | +| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. | +| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). | + +## Required services + +Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md new file mode 100644 index 0000000000..fd14c25d99 --- /dev/null +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -0,0 +1,99 @@ +--- +title: Update Compliance Configuration Script +ms.reviewer: +manager: laurawi +description: Downloading and using the Update Compliance Configuration Script +keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Configuring devices through the Update Compliance Configuration Script + +The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more. + +You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. + +## How the script is organized + +The script is organized into two folders **Pilot** and **Deployment**. Both folders have the same key files: `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the .bat itself, which will then execute `ConfigScript.ps1` with the parameters entered to RunConfig.bat. + +- The **Pilot** folder and its contents are intended to be used on an initial set of single devices in specific environments (main office & satellite office, for example) for testing and troubleshooting prior to broader deployment. This script is configured to collect and output detailed logs for every device it runs on. +- The **Deployment** folder is intended to be deployed across an entire device population in a specific environment once devices in that environment have been validated with the Pilot script. + +## How to use the script + +### Piloting and Troubleshooting + +> [!IMPORTANT] +> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support. + +When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows: + +1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode. +2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid). +3. Run the script. The script must be run in System context. +4. Examine the Logs output for any issues. If there were issues: + - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance] (update-compliance-configuration-manual.md). + - Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes. + - Make the necessary corrections and run the script again. +5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder. + + +### Broad deployment + +After verifying on a set of devices in a specific environment that everything is configured correctly, you can proceed to broad deployment. + +1. Configure `commercialIDValue` in `RunConfig.bat` to [your CommercialID](update-compliance-get-started.md#get-your-commercialid). +2. Use a management tool like Configuration Manager or Intune to broadly deploy the script to your entire target population. + +## Script Error Reference + +|Error |Description | +|-|-------------------| +| 27 | Not system account. | +| 37 | Unexpected exception when collecting logs| +| 1 | General unexpected error| +| 6 | Invalid CommercialID| +| 48 | CommercialID is not a GUID| +| 8 | Couldn't create registry key path to setup CommercialID| +| 9 | Couldn't write CommercialID at registry key path| +| 53 | There are conflicting CommercialID values.| +| 11 | Unexpected result when setting up CommercialID.| +| 62 | AllowTelemetry registry key is not of the correct type `REG_DWORD`| +| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| +| 64 | AllowTelemetry is not of the correct type `REG_DWORD`.| +| 99 | Device is not Windows 10.| +| 40 | Unexpected exception when checking and setting telemetry.| +| 12 | CheckVortexConnectivity failed, check Log output for more information.| +| 12 | Unexpected failure when running CheckVortexConnectivity.| +| 66 | Failed to verify UTC connectivity and recent uploads.| +| 67 | Unexpected failure when verifying UTC CSP connectivity of the WMI Bridge.| +| 41 | Unable to impersonate logged-on user.| +| 42 | Unexpected exception when attempting to impersonate logged-on user.| +| 43 | Unexpected exception when attempting to impersonate logged-on user.| +| 16 | Reboot is pending on device, restart device and restart script.| +| 17 | Unexpected exception in CheckRebootRequired.| +| 44 | Error when running CheckDiagTrack service.| +| 45 | DiagTrack.dll not found.| +| 50 | DiagTrack service not running.| +| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| +| 55 | Failed to create new registry path for `SetDeviceNameOptIn` of the PowerShell script.| +| 56 | Failed to create property for `SetDeviceNameOptIn` of the PowerShell script at registry path.| +| 57 | Failed to update value for `SetDeviceNameOptIn` of the PowerShell script.| +| 58 | Unexpected exception in `SetDeviceNameOptIn` of the PowerShell script.| +| 59 | Failed to delete `LastPersistedEventTimeOrFirstBoot` property at registry path when attempting to clean up OneSettings.| +| 60 | Failed to delete registry key when attempting to clean up OneSettings.| +| 61 | Unexpected exception when attempting to clean up OneSettings.| +| 52 | Could not find Census.exe| +| 51 | Unexpected exception when attempting to run Census.exe| +| 34 | Unexpected exception when attempting to check Proxy settings.| +| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| +| 35 | Unexpected exception when checking User Proxy.| diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 2d3216901c..1fc602e081 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -37,9 +37,7 @@ Refer to the following list for what each state means: ## Compatibility holds -Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. - -To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). +Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device's upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. ### Opting out of compatibility hold diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 8e7dfad9c8..4e77a4d513 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -1,8 +1,8 @@ --- -title: Get started with Update Compliance (Windows 10) +title: Get started with Update Compliance ms.reviewer: manager: laurawi -description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network. +description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav ms.prod: w10 ms.mktglfcycl: deploy @@ -16,112 +16,68 @@ ms.topic: article --- # Get started with Update Compliance -This topic explains the steps necessary to configure your environment for Update Compliance. -Steps are provided in sections that follow the recommended setup process: +This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow. -1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). -2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). -3. [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance). -4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and get Delivery Optimization insights. +1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance. +2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription. +3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance. + +After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. ## Update Compliance prerequisites + Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: -1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](https://docs.microsoft.com/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. -2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. -3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. -4. For Windows 10 1803+, device names will not appear in Update Compliance unless you opt in. The steps to accomplish this is outlined in the [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance) section. + +1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](https://docs.microsoft.com/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. +2. **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them. +3. **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). +4. **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md). +5. **Showing Device Names in Update Compliance**: For Windows 10 1803+, device names will not appear in Update Compliance unless you individually opt-in devices via policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). ## Add Update Compliance to your Azure subscription -Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: -1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. +Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: + +1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You may need to login to your Azure subscription to access this. +2. Select **Get it now**. +3. Choose an existing or configure a new Log Analytics Workspace. While an Azure subscription is required, you will not be charged for ingestion of Update Compliance data. + - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. + - [Azure Update Management](https://docs.microsoft.com/azure/automation/automation-update-management) customers are advised to use the same workspace for Update Compliance. +4. After your workspace is configured and selected, select **Create**. You will receive a notification when the solution has been successfully created. > [!NOTE] -> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. +> It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](https://docs.microsoft.com/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription. -2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. +### Get your CommercialID -![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) +A CommercialID is a globally-unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment. -3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. +To find your CommercialID within Azure: -![Update Compliance solution creation](images/UC_01_marketplace_create.png) - -4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. - - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. - -![Update Compliance workspace creation](images/UC_02_workspace_create.png) - -5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. - -![Update Compliance workspace selection](images/UC_03_workspace_select.png) - -6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. - -![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) - -## Enroll devices in Update Compliance -Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are three key steps to ensure successful enrollment: - -### Deploy your Commercial ID to devices -A Commercial ID is a globally-unique identifier assigned to a specific Log Analytics workspace. This is used to identify devices as part of your environment. - -To find your Commercial ID within Azure: -1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution. -2. From there, select the Update Compliance Settings page on the navbar. -3. Your Commercial ID is available in the settings page. - -![Update Compliance Settings page](images/UC_commercialID.png) +1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution. +2. From there, select the Update Compliance Settings page on the navbar. +3. Your CommercialID is available in the settings page. > [!IMPORTANT] ->Regenerate your Commercial ID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your Commercial ID cannot be undone and will result in you losing data for all devices that have the current Commercial ID until the new Commercial ID is deployed to devices. +> Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices. -#### Deploying Commercial ID using Group Policy -Commercial ID can be deployed using Group Policy. The Group Policy for Commercial ID is under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure the Commercial ID**. +## Enroll devices in Update Compliance -![Commercial ID Group Policy location](images/UC_commercialID_GP.png) - -#### Deploying Commercial ID using MDM -Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp). - -### Ensure endpoints are whitelisted -To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to whitelist the following endpoints. You may need security group approval to do this. - -| **Endpoint** | **Function** | -|---------------------------------------------------------|-----------| -| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. | -| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | -| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. | -| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | -| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. | -| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. | -| `https://login.live.com` | This endpoint is optional but allows for the Update Compliance service to more reliably identify and process devices. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | - -### Set diagnostic data levels -Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). - -#### Configuring Telemetry level using Group Policy -You can set Allow Telemetry through Group Policy, this setting is in the same place as the Commercial ID policy, under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry**. Update Compliance requires at least Basic (level 1) to function. - -![Allow Telemetry in Group Policy](images/UC_telemetrylevel.png) - -#### Configuring Telemetry level using MDM -Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). - -### Enabling Device Name in telemetry -Beginning with Windows 10, version 1803, Device Name is no longer collected as part of normal Windows Diagnostic Data and must explicitly be allowed to be sent to Microsoft. If devices do not have this policy enabled, their device name will appear as '#' instead. - -#### Allow Device Name in Telemetry with Group Policy -Allow Device Name in Telemetry is under the same node as Commercial ID and Allow Telemetry policies in Group Policy, listed as **Allow device name to be sent in Windows diagnostic data**. - -#### Allow Device Name in Telemetry with MDM -Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). +Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance. > [!NOTE] -> After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. +> After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices. + +### Configure devices using the Update Compliance Configuration Script + +The recommended way to configure devices to send data to Update Compliance is using the [Update Compliance Configuration Script](update-compliance-configuration-script.md). The script configures required policies via Group Policy. The script comes with two versions: + +- Pilot is more verbose and is intended to be use on an initial set of devices and for troubleshooting. +- Deployment is intended to be deployed across the entire device population you want to monitor with Update Compliance. + +To download the script and learn what you need to configure and how to troubleshoot errors, see [Configuring Devices using the Update Compliance Configuration Script](update-compliance-configuration-script.md). + +### Configure devices manually + +It is possible to manually configure devices to send data to Update Compliance, but the recommended method of configuration is to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md). To learn more about configuring devices manually, see [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 7cfa65dc2a..74b72061a4 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -19,9 +19,8 @@ ms.topic: article > [!IMPORTANT] > While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates: -> -> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). -> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. +> As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction @@ -33,30 +32,15 @@ Update Compliance enables organizations to: Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). +Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience. See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: -- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. -- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. +- [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance. +- [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience. -## Update Compliance architecture - -The Update Compliance architecture and data flow follows this process: - -1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service. -2. Diagnostic data is analyzed by the Update Compliance Data Service. -3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace. -4. Diagnostic data is available in the Update Compliance solution. - - -> [!NOTE] -> This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md). - - - -  ## Related topics -[Get started with Update Compliance](update-compliance-get-started.md)
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) +* [Get started with Update Compliance](update-compliance-get-started.md) +* [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) +* [Update Compliance Schema Reference](update-compliance-schema.md) diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index a4b940a236..b3a4ca35a7 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -19,8 +19,8 @@ ms.topic: article The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. ->[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. +> [!NOTE] +> The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. The different issues are broken down by Device Issues and Update Issues: @@ -39,8 +39,8 @@ The different issues are broken down by Device Issues and Update Issues: Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. ->[!NOTE] ->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. +> [!NOTE] +> This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. ## List of Queries diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md deleted file mode 100644 index b07741ffeb..0000000000 --- a/windows/deployment/update/update-compliance-perspectives.md +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: Update Compliance - Perspectives -ms.reviewer: -manager: laurawi -description: an overview of Update Compliance Perspectives -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: deploy -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.author: jaimeo -ms.collection: M365-analytics -ms.topic: article ---- - -# Perspectives - -> [!IMPORTANT] -> On March 31, 2020, the Perspectives feature of Update Compliance will be removed in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. - - -![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) - -Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. - -There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. - -The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. - -The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). - -## Deployment status - -The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: - -| State | Description | -| --- | --- | -| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | -| In Progress | Devices that report they are "In Progress" are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | -| Deferred | When a device's Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | -| Progress stalled | Devices that report as "Progress stalled" have been stuck at "In progress" for more than 7 days. | -| Cancelled | The update was canceled. | -| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | -| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | -| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | -| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | - -## Detailed deployment status - -The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: - -| State | Description | -| --- | --- | -| Update deferred | When a device's Windows Update for Business policy dictates the update is deferred. | -| Update paused | The device's Windows Update for Business policy dictates the update is paused from being offered. | -| Update offered | The device has been offered the update, but has not begun downloading it. | -| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | -| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | -| Download Started | The update has begun downloading on the device. | -| Download Succeeded | The update has successfully completed downloading. | -| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | -| Install Started | Installation of the update has begun. | -| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. -| Reboot Pending | The device has a scheduled reboot to apply the update. | -| Reboot Initiated | The scheduled reboot has been initiated. | -| Update Completed/Commit | The update has successfully installed. | - -> [!NOTE] -> Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking "Not configured (-1)" devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md new file mode 100644 index 0000000000..a455261f8c --- /dev/null +++ b/windows/deployment/update/update-compliance-privacy.md @@ -0,0 +1,55 @@ +--- +title: Privacy in Update Compliance +ms.reviewer: +manager: laurawi +description: an overview of the Feature Update Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Privacy in Update Compliance + +Update Compliance is fully committed to privacy, centering on these tenets: + +- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). +- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics. +- **Security:** Your data is protected with strong security and encryption. +- **Trust:** Update Compliance supports the Online Services Terms. + +## Data flow for Update Compliance + +The data flow sequence is as follows: + +1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US. +2. An IT Administrator creates an Azure Log Analytics workspace. They then choose the location this workspace will store data and receives a Commercial ID for that workspace. The Commercial ID is added to each device in an organization by way of Group Policy, MDM or registry key. +3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management Service, identifying devices by Commercial ID. +4. These snapshots are copied to transient storage, used solely for Update Compliance where they are partitioned by Commercial ID. +5. The snapshots are then copied to the appropriate Azure Log Analytics workspace, where the Update Compliance experience pulls the information from to populate visuals. + +## FAQ + +### Can Update Compliance be used without a direct client connection to the Microsoft Data Management Service? + +No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity. + +### Can I choose the data center location? + +Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US). + +## Related topics + +See related topics for additional background information on privacy and treatment of diagnostic data: + +- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) +- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) +- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) +- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) +- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) +- [Trust Center](https://www.microsoft.com/trustcenter) diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md new file mode 100644 index 0000000000..3cbcbbeb28 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -0,0 +1,46 @@ +--- +title: Update Compliance Schema - WaaSDeploymentStatus +ms.reviewer: +manager: laurawi +description: WaaSDeploymentStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WaaSDeploymentStatus + +WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. + +|Field |Type |Example |Description | +|-|-|-----|------------------------| +|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). | +|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**DeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). | +|**DeploymentError** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. | +|**DeploymentErrorCode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. | +|**DeploymentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Failed` |The high level status of installing this update on this device. Possible values are:
  • **Update completed**: Device has completed the update installation.
  • **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
  • **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
  • **Cancelled**: The update was cancelled.
  • **Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
  • **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`.
  • **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
  • **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.| +|**DetailedStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
  • **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
  • **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
  • **Update offered**: The device has been offered the update, but has not begun downloading it.
  • **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
  • **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds).
  • **Download started**: The update has begun downloading on the device.
  • **Download Succeeded**: The update has successfully completed downloading.
  • **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
  • **Install Started**: Installation of the update has begun.
  • **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
  • **Reboot Pending**: The device has a scheduled reboot to apply the update.
  • **Reboot Initiated**: The scheduled reboot has been initiated.
  • **Commit**: Changes are being committed post-reboot. This is another step of the installation process.
  • **Update Completed**: The update has successfully installed.| +|**ExpectedInstallDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. | +|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. | +|**OriginBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build currently installed on the device. | +|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`719` |The revision of the OSBuild installed on the device. | +|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. | +|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | +|**PauseState** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
  •  **Expired**: The pause period has expired.
  •  **NotConfigured**: Pause is not configured.
  •  **Paused**: The device was last reported to be pausing this content type.
  •  **NotPaused**: The device was last reported to not have any pause on this content type. | +|**RecommendedAction** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The recommended action to take in the event this device needs attention, if any. | +|**ReleaseName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`KB4551762` |The KB Article corresponding to the TargetOSRevision, if any. | +|**TargetBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The target OSBuild, the update being installed or considered as part of this WaaSDeploymentStatus record. | +|**TargetOSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The target OSVersion. | +|**TargetOSRevision** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |The target OSRevisionNumber. | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. | +|**UpdateCategory** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Quality` |The high-level category of content type this Windows Update belongs to. Possible values are **Feature** and **Quality**. | +|**UpdateClassification** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Security` |Similar to UpdateCategory, this more specifically determines whether a Quality update is a security update or not. | +|**UpdateReleasedDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. | diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md new file mode 100644 index 0000000000..2ddf505e62 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md @@ -0,0 +1,35 @@ +--- +title: Update Compliance Schema - WaaSInsiderStatus +ms.reviewer: +manager: laurawi +description: WaaSInsiderStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WaaSInsiderStatus + +WaaSInsiderStatus records contain device-centric data and acts as the device record for devices on Windows Insider Program builds in Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. Insider devices have fewer fields than [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md). + + +|Field |Type |Example |Description | +|--|--|---|--| +|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). | +|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | +|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | +|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). | +|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. | +|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. | +|**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. | +|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. | +|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". | diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md new file mode 100644 index 0000000000..0b5adb4096 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md @@ -0,0 +1,46 @@ +--- +title: Update Compliance Schema - WaaSUpdateStatus +ms.reviewer: +manager: laurawi +description: WaaSUpdateStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WaaSUpdateStatus + +WaaSUpdateStatus records contain device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. + +|Field |Type |Example |Description | +|--|-|----|------------------------| +|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). | +|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Simple (99)` |The device's Delivery Optimization DownloadMode. To learn about possible values, see [Delivery Optimization Reference - Download mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) | +|**FeatureDeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.
    - **<0**: A value below 0 indicates the policy is disabled.
    - **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days.
    - **1+**: A value of 1 and above indicates the deferral setting, in days. | +|**FeaturePauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause | +|**FeaturePauseState** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
  • **Expired**: The pause period has expired.
  • **NotConfigured**: Pause is not configured.
  • **Paused**: The device was last reported to be pausing this content type.
  • **NotPaused**: The device was last reported to not have any pause on this content type. | +|**QualityDeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.
  • **<0**: A value below 0 indicates the policy is disabled.
  • **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days.
  • **1+**: A value of 1 and above indicates the deferral setting, in days. | +|**QualityPauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |**Deprecated**. This provides the count of days left in a pause period.| +|**QualityPauseState** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Quality Updates.
  • **Expired**: The pause period has expired.
  • **NotConfigured**: Pause is not configured.
  • **Paused**: The device was last reported to be pausing this content type.
  • **NotPaused**: The device was last reported to not have any pause on this content type. | +|**NeedAttentionStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Indicates any reason a device needs attention; if empty, there are no [Device Issues](https://docs.microsoft.com/windows/deployment/update/update-compliance-need-attention#device-issues) for this device. | +|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | +|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | +|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). | +|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. | +|**OSCurrentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Current` |*Deprecated* Whether or not the device is on the latest Windows Feature Update available, as well as the latest Quality Update for that Feature Update. | +|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. | +|**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. | +|**OSFeatureUpdateStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Feature Update. | +|**OSQualityUpdateStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Quality Update (for its Feature Update). | +|**OSSecurityUpdateStatus**|[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Quality Update **that is classified as containing security fixes**. | +|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. | +|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". | diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md new file mode 100644 index 0000000000..6aa934c711 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md @@ -0,0 +1,34 @@ +--- +title: Update Compliance Schema - WUDOAggregatedStatus +ms.reviewer: +manager: laurawi +description: WUDOAggregatedStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WUDOAggregatedStatus + +WUDOAggregatedStatus records provide information, across all devices, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), over the past 28 days. + +These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference). + +|Field |Type |Example |Description | +|-|-|-|-| +|**DeviceCount** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`9999` |Total number of devices in this aggregated record. | +|**BWOptPercent28Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 28-day basis. | +|**BWOptPercent7Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 7-day basis. | +|**BytesFromCDN** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization.| +|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. | +|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. | +|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. | +|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded.| +|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace.| diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md new file mode 100644 index 0000000000..f3d6dc0e2a --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-wudostatus.md @@ -0,0 +1,57 @@ +--- +title: Update Compliance Schema - WUDOStatus +ms.reviewer: +manager: laurawi +description: WUDOStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WUDOStatus + +> [!NOTE] +> Currently all location-based fields are not working properly. This is a known issue. + +WUDOStatus records provide information, for a single device, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), and other information to create more detailed reports and splice on certain common characteristics. + +These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference). + +|Field |Type |Example |Description | +|-|-|-|-| +|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). | +|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**City** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Approximate city device was in while downloading content, based on IP Address. | +|**Country** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Approximate country device was in while downloading content, based on IP Address. | +|**ISP** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The Internet Service Provider estimation. | +|**BWOptPercent28Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 28-day basis. | +|**BWOptPercent7Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 7-day basis. | +|**BytesFromCDN** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization. | +|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. | +|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. | +|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. | +|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this content. | +|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. | +|**DOStatusDescription** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. | +|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. | +|**DownloadModeSrc** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Default` |The source of the DownloadMode configuration. | +|**GroupID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The DO Group ID. | +|**NoPeersCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) | |The number of peers this device interacted with. | +|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | +|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild.  | +|**PeerEligibleTransfers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |Total number of eligible transfers by Peers. | +|**PeeringStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`On` |The DO Peering Status | +|**PeersCannotConnectCount**|[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device was unable to connect to. | +|**PeersSuccessCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device successfully connected to. | +|**PeersUnknownCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers for which there is an unknown relation. | +|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. | +|**TotalTimeForDownload** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`0:00:00` |The total time it took to download the content. | +|**TotalTransfers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The total number of data transfers to download this content. | + diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md new file mode 100644 index 0000000000..2be2ac0e78 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema.md @@ -0,0 +1,29 @@ +--- +title: Update Compliance Data Schema +ms.reviewer: +manager: laurawi +description: an overview of Update Compliance data schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Update Compliance Schema + +When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](https://docs.microsoft.com/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more. + +The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries). + +|Table |Category |Description | +|--|--|--| +|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. | +|[**WaaSInsiderStatus**](update-compliance-schema-waasinsiderstatus.md) |Device record |This table houses device-centric data specifically for devices enrolled to the Windows Insider Program. Devices enrolled to the Windows Insider Program do not currently have any WaaSDeploymentStatus records, so do not have Update Session data to report on update deployment progress. | +|[**WaaSDeploymentStatus**](update-compliance-schema-waasdeploymentstatus.md) |Update Session record |This table tracks a specific update on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. | +|[**WUDOStatus**](update-compliance-schema-wudostatus.md) |Delivery Optimization record |This table provides information, for a single device, on their bandwidth utilization across content types in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq). | +|[**WUDOAggregatedStatus**](update-compliance-schema-wudoaggregatedstatus.md) |Delivery Optimization record |This table aggregates all individual WUDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled to Delivery Optimization. | diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index f6f30a2709..67cc9067ac 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -22,49 +22,4 @@ The **Overall Security Update Status** blade provides a visualization of devices The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization. -The various deployment states reported by devices are as follows: - -## Deployment status -Deployment status summarizes detailed status into higher-level states to get a quick sense of the status the given device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported deployment status. - -|Deployment status |Description | -|---------|---------| -|Failed | The device encountered a failure during the update process. Note that due to latency, devices reporting this status may have since retried the update. | -|Progress stalled | The device started the update process, but no progress has been reported in the last 7 days. | -|Deferred | The device is currently deferring the update process due to Windows Update for Business policies. | -|In progress | The device has begun the updating process for this update. This status appears if the device is in any stage of the update process including and after download, but before completing the update. If no progress has been reported in the last 7 days, devices will move to **Progress stalled**.** | -|Update completed | The device has completed the update process. | -|Update paused | The device is prevented from being offered the update due to updates being paused on the device. | -|Unknown | No record is available for this device relative to this update. This is a normal status if an update has recently been released or if the device does not use Windows Update. | - - -## Detailed status -Detailed status provides a detailed stage-level representation of where in the update process the device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported detailed status. - - -|Detailed status |Description | -|---------|---------| -|Scheduled in next X days | The device is currently deferring the update with Windows Update for Business policies but will be offered the update within the next X days. | -|Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | -|Update deferred | The device is currently deferring the update with Windows Update for Business policies. | -|Update paused | The device is prevented from being offered the update due to updates being paused on the device. | -|Update offered | The device has been offered the update by Windows Update but has not yet begun to download it. | -|Download started | The device has begun downloading the update. | -|Download succeeded | The device has finished downloading the update but has not yet begun installing the update. | -|Install started | The device has begun installing the update. | -|PreInstall task passed | The device has passed checks prior to beginning the rest of the installation process after a restart. | -|Reboot required | The device requires a restart to install the update, but one has not yet been scheduled. | -|Reboot pending | The device is pending a restart to install the update. | -|Reboot initiated | The device reports "Reboot initiated" just before actually restarting specifically to apply the update. | -|Commit | The device, after a restart, is committing changes relevant to the update. | -|Finalize succeeded | The device has finished final tasks after a restart to apply the update. | -|Update successful | The device has successfully applied the update. | -|Cancelled | The update was canceled at some point in the update process. | -|Uninstalled | The update was successfully uninstalled from the device. | -|Rollback | The update failed to apply during the update process, causing the device to roll back changes and revert to the previous update. | - - - - - The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section. diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 3f9b6fbcbb..47ea2040ed 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -21,14 +21,13 @@ In this section you'll learn how to use Update Compliance to monitor your device Update Compliance: -- Provides detailed deployment data for Windows 10 security, quality, and feature updates. -- Reports when devices have issues related to updates that need attention. -- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). +- Provides detailed deployment monitoring for Windows 10 Feature and Quality updates. +- Reports when devices need attention due to issues related to update deployment. - Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). - Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. ## The Update Compliance tile -After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile: +After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile: ![Update Compliance tile no data](images/UC_tile_assessing.png) @@ -48,7 +47,7 @@ When you select this tile, you will be redirected to the Update Compliance works ![The Overview blade](images/UC_workspace_overview_blade.png) -Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: +Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. * AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. @@ -84,9 +83,9 @@ This means you should generally expect to see new data device data every 24 hour Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance. See below for a few topics related to Log Analytics: -* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). +* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure's excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). * To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). -* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. +* [Gain an overview of Log Analytics' alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. ## Related topics diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md deleted file mode 100644 index ebd7f7827f..0000000000 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Update Compliance - Windows Defender AV Status report -ms.reviewer: -manager: laurawi -description: an overview of the Windows Defender AV Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: deploy -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.author: jaimeo -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Defender AV Status - - -> [!IMPORTANT] -> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). - -![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) - -The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. - -> [!NOTE] -> Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). - -## Windows Defender AV Status sections -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. - -The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. - -Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with a signature older than 14 days. -* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. -* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. -* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. - -## Windows Defender data latency -Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. - -## Related topics - -- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index e7d8d21550..de0d1957dc 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 2486006471..0e9f6ba908 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -52,7 +52,7 @@ You can control when updates are applied, for example by deferring when an updat Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. -- Drivers (on/off): When "on," this policy will not include drivers with Windows Update. +- Disable Drivers (on/off): When "on," this policy will not include drivers with Windows Update. - Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index fa6196d4f9..27951497ec 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -1,79 +1,80 @@ ---- -title: Install VAMT (Windows 10) -description: Install VAMT -ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 03/11/2019 -ms.topic: article ---- - -# Install VAMT - -This topic describes how to install the Volume Activation Management Tool (VAMT). - -## Install VAMT - -You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. - ->[!IMPORTANT] ->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  - ->[!NOTE] ->The VAMT Microsoft Management Console snap-in ships as an x86 package. - -### Requirements - -- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied -- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) -- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) -- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP - -### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer - -1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. -2. Select **Basic**. -3. Accept the license terms. -4. Enter an install location or use the default path, and then select **Install**. -5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. - ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) - -### Install VAMT using the ADK - -1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package. -Reminder: There won't be new ADK release for 1909. -2. Enter an install location or use the default path, and then select **Next**. -3. Select a privacy setting, and then select **Next**. -4. Accept the license terms. -5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) -6. On the completion page, select **Close**. - -### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server - -1. Open **Volume Active Management Tool 3.1** from the Start menu. -2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. - - ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) - -for remote SQL Server use -servername.yourdomain.com - - - -## Uninstall VAMT - -To uninstall VAMT using the **Programs and Features** Control Panel: -1. Open **Control Panel** and select **Programs and Features**. -2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. - - - - +--- +title: Install VAMT (Windows 10) +description: Install VAMT +ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.date: 03/11/2019 +ms.topic: article +--- + +# Install VAMT + +This topic describes how to install the Volume Activation Management Tool (VAMT). + +## Install VAMT + +You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. + +>[!IMPORTANT] +>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  + +>[!NOTE] +>The VAMT Microsoft Management Console snap-in ships as an x86 package. + +### Requirements + +- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied +- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) +- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended +- Alternatively, any supported **full** SQL instance + +### Install SQL Server Express / alternatively use any full SQL instance + +1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. +2. Select **Basic**. +3. Accept the license terms. +4. Enter an install location or use the default path, and then select **Install**. +5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. + + ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) + +### Install VAMT using the ADK + +1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package. +Reminder: There won't be new ADK release for 1909. +2. Enter an install location or use the default path, and then select **Next**. +3. Select a privacy setting, and then select **Next**. +4. Accept the license terms. +5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) +6. On the completion page, select **Close**. + +### Configure VAMT to connect to SQL Server Express or full SQL Server + +1. Open **Volume Active Management Tool 3.1** from the Start menu. +2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. + + ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) + +for remote SQL Server use +servername.yourdomain.com + + + +## Uninstall VAMT + +To uninstall VAMT using the **Programs and Features** Control Panel: +1. Open **Control Panel** and select **Programs and Features**. +2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. + + + + diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 944908ad16..4f273824cb 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -108,11 +108,11 @@ Topics and procedures in this guide are summarized in the following table. An es 5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: ``` - New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow - New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow - New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow + New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow + New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow + New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow ``` 7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. @@ -123,7 +123,7 @@ Topics and procedures in this guide are summarized in the following table. An es ``` $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 Stop-Process -Name Explorer ``` @@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es 19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 Stop-Process -Name Explorer ``` @@ -326,7 +326,7 @@ WDSUTIL /Set-Server /AnswerClients:None See the following example: - Config Mgr PXE + Config Mgr PXE 5. Click **OK**. 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: @@ -387,7 +387,7 @@ WDSUTIL /Set-Server /AnswerClients:None In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) ``` 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. @@ -847,7 +847,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 6. When a popup dialog box asks if you want to run full discovery, click **Yes**. 7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): - ![assets](images/sccm-assets.png) + ![assets](images/configmgr-assets.png) >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. @@ -900,7 +900,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - ![site](images/sccm-site.png) + ![site](images/configmgr-site.png) If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. @@ -908,7 +908,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - ![client](images/sccm-client.png) + ![client](images/configmgr-client.png) >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. @@ -970,7 +970,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: - ![collection](images/sccm-collection.png) + ![collection](images/configmgr-collection.png) ### Create a device collection for PC1 @@ -1018,7 +1018,7 @@ In the Configuration Manager console, in the Software Library workspace under Op 4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - ![software](images/sccm-software-cntr.png) + ![software](images/configmgr-software-cntr.png) >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. @@ -1056,17 +1056,17 @@ In the Configuration Manager console, in the Software Library workspace under Op 3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. 4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - ![installOS](images/sccm-install-os.png) + ![installOS](images/configmgr-install-os.png) The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - ![asset](images/sccm-asset.png) + ![asset](images/configmgr-asset.png) You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - ![post-refresh](images/sccm-post-refresh.png) + ![post-refresh](images/configmgr-post-refresh.png) diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md index 7fd687321a..762aab67e5 100644 --- a/windows/deployment/windows-autopilot/autopilot-support.md +++ b/windows/deployment/windows-autopilot/autopilot-support.md @@ -10,7 +10,6 @@ ms.pagetype: deploy audience: itpro author: greg-lindsay ms.author: greglin -ms.date: 10/31/2018 ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop @@ -25,19 +24,14 @@ The following table displays support information for the Windows Autopilot progr Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). - -| Audience | Support contact | -|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | -| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
    Low – 120 hours
    Normal – 72 hours
    High – 24 hours
    Immediate – 4 hours | -| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | -| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. To learn more about Ecosystem PMs and the services they offer, contact epsoinfo@microsoft.com. | -| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | -| End-user | Contact your IT administrator. | -| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | -| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | -| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | -| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | -| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | -| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | - +| Audience | Support contact | +|------------|---------------------------------------| +| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | +| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
    Low – 120 hours
    Normal – 72 hours
    High – 24 hours
    Immediate – 4 hours | +| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | +| End-user | Contact your IT administrator. | +| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | +| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | +| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | +| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | +| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | \ No newline at end of file diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 8dc6b27a55..7f7f58c2b8 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -71,4 +71,5 @@ ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) ### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) -### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) \ No newline at end of file +### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) +### [Optimizing Office 365 traffic with the Windows 10 VPN client](vpn\vpn-office-365-optimization.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 54e4021adc..4a5e2492fe 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -154,6 +154,9 @@ These procedures configure NTFS and share permissions on the web server to allow ![CDP Share Permissions](images/aadj/cdp-share-permissions.png) 9. In the **Advanced Sharing** dialog box, click **OK**. +> [!Tip] +> Make sure that users can access **\\\Server FQDN\sharename**. + #### Disable Caching 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. @@ -325,6 +328,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 14. Click **Save** 15. Sign-out of the Azure portal. +> [!IMPORTANT] +> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication). + ## Section Review > [!div class="checklist"] > * Configure Internet Information Services to host CRL distribution point diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index c7b2eca8b7..9c4dba47c8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -122,11 +122,9 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co > > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. -#### Azure MFA Provider -If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. #### Configure Azure MFA Settings -Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. +Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 0977f9b6a8..314df80eac 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -37,7 +37,7 @@ You are ready to configure device registration for your hybrid environment. Hybr ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. -To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/) +To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/). Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. @@ -49,7 +49,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. Configure Azure Device Registration (*You are here*) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 016bf3f7d8..97c87a6d14 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -102,8 +102,8 @@ Organizations using older directory synchronization technology, such as DirSync
    -## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +## Federation with Azure +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. > [!div class="checklist"] > * Non-federated environments diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 24172f6859..9369ea8370 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -329,7 +329,7 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory. -Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies do. +Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) do. If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md new file mode 100644 index 0000000000..22d084bda3 --- /dev/null +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -0,0 +1,676 @@ +--- +title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, networking +audience: ITPro +ms.topic: article +author: kelleyvice-msft +ms.localizationpriority: medium +ms.date: 04/07/2020 +ms.reviewer: +manager: dansimp +ms.author: jajo +--- + +# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client + +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. + +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. + +> [!NOTE] +> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). + +## Solution Overview + +The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). + +Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). + +To enable the use of force tunneling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: + +```xml +ForceTunnel +``` + +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `` section as follows: + +```xml + +
    [IP addresses or subnet]
    + [IP Prefix] + true +     +``` + +Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `` section for each required exclusion. + +An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: + +```xml + + + ForceTunnel + + +
    203.0.113.0
    + 24 + true +     + +
    198.51.100.0
    + 22 + true +     +     +``` + +> [!NOTE] +> The IP addresses and prefix size values in this example are used purely as examples only and should not be used. + +## Solution Deployment + +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling. + +This can be achieved manually by adding the IP addresses defined within the *optimize* category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. + +An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below. + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile +.DESCRIPTION + Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges + Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) + Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name +.PARAMETERS + Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +param ( + [string]$VPNprofilefile +) + +$usage=@" + +This script uses the following parameters: + +VPNprofilefile - The full path and name of the VPN profile PowerShell script or XML file + +EXAMPLES + +To check a VPN profile PowerShell script file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE] + +To check a VPN profile XML file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE] + +"@ + +# Check if filename has been provided # +if ($VPNprofilefile -eq "") +{ + Write-Host "`nWARNING: You must specify either a PowerShell script or XML filename!" -ForegroundColor Red + + $usage + exit +} + +$FileExtension = [System.IO.Path]::GetExtension($VPNprofilefile) + +# Check if XML file exists and is a valid XML file # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + if ( Test-Path $VPNprofilefile ) + { + $xml = New-Object System.Xml.XmlDocument + try + { + $xml.Load((Get-ChildItem -Path $VPNprofilefile).FullName) + + } + catch [System.Xml.XmlException] + { + Write-Verbose "$VPNprofilefile : $($_.toString())" + Write-Host "`nWARNING: The VPN profile XML file is not a valid xml file or incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: VPN profile XML file does not exist or cannot be found!" -ForegroundColor Red + $usage + exit + } +} + +# Check if VPN profile PowerShell script file exists and contains a VPNPROFILE XML section # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + if ( (Test-Path $VPNprofilefile) ) + { + if (-Not $(Select-String -Path $VPNprofilefile -Pattern "") ) + { + Write-Host "`nWARNING: PowerShell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: PowerShell script file does not exist or cannot be found!"-ForegroundColor Red + $usage + exit + } +} + +# Define Office 365 endpoints and service URLs # +$ws = "https://endpoints.office.com" +$baseServiceUrl = "https://endpoints.office.com" + +# Path where client ID and latest version number will be stored # +$datapath = $Env:TEMP + "\endpoints_clientid_latestversion.txt" + +# Fetch client ID and version if data file exists; otherwise create new file # +if (Test-Path $datapath) +{ + $content = Get-Content $datapath + $clientRequestId = $content[0] + $lastVersion = $content[1] + +}else +{ + $clientRequestId = [GUID]::NewGuid().Guid + $lastVersion = "0000000000" + @($clientRequestId, $lastVersion) | Out-File $datapath +} + +# Call version method to check the latest version, and pull new data if version number is different # +$version = Invoke-RestMethod -Uri ($ws + "/version?clientRequestId=" + $clientRequestId) + +if ($version[0].latest -gt $lastVersion) +{ + + Write-Host + Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan + + # Write the new version number to the data file # + @($clientRequestId, $version[0].latest) | Out-File $datapath +} + +# Invoke endpoints method to get the new data # +$uri = "$baseServiceUrl" + "/endpoints/worldwide?clientRequestId=$clientRequestId" + +# Invoke endpoints method to get the data for the VPN profile comparison # +$endpointSets = Invoke-RestMethod -Uri ($uri) +$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" } +$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique + +# Temporarily include additional IP address until Teams client update is released +$optimizeIpsv4 += "13.107.60.1/32" + +# Process PowerShell script file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + Write-host "`nStarting PowerShell script exclusion route check...`n" -ForegroundColor Cyan + + # Clear Variables to allow re-run testing # + + $ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file # + $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimize list # + $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile PowerShell file # + + # Extract the Profile XML from the ps1 file # + + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with the optimize list # + + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNprofilexml=""+$xmlbody+"" + + # Loop through each address found in VPNPROFILE XML section # + foreach ($Route in $VPNprofilexml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimize address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + [int32]$insline=0 + + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match "") + { + $insline += $i # Record the position of the line after the NativeProfile section ends # + } + } + $OFS = "`r`n" + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $InpFile[$insline] += $OFS+" " + $InpFile[$insline] += $OFS+"
    "+$IPInfo[0].Trim()+"
    " + $InpFile[$insline] += $OFS+" "+$IPInfo[1].Trim()+"" + $InpFile[$insline] += $OFS+" true" + $InpFile[$insline] += $OFS+"     " + } + # Update fileName and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + +if ( $In_VPN_Only.Count -gt 0 ) +{ + Write-Host "Unknown exclusion route IP addresses have been found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $Outfile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr="
    "+$IPInfo[0].Trim()+"
    " + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + [int32]$insline=0 + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match $matchstr) + { + $insline += $i # Record the position of the line for the string match # + } + } + # Remove entries from XML # + $InpFile[$insline-1]="REMOVETHISLINE" + $InpFile[$insline]="REMOVETHISLINE" + $InpFile[$insline+1]="REMOVETHISLINE" + $InpFile[$insline+2]="REMOVETHISLINE" + $InpFile[$insline+3]="REMOVETHISLINE" + $InpFile=$InpFile | Where-Object {$_ -ne "REMOVETHISLINE"} + + # Update filename and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} + +# Process XML file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + Write-host "`nStarting XML file exclusion route check...`n" -ForegroundColor Cyan + + # Clear variables to allow re-run testing # + $ARRVPN=$null # Array to hold VPN addresses from the XML file # + $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list # + $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file # + + # Extract the Profile XML from the XML file # + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with optimize list # + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNRulesxml="$xmlbody" + + # Loop through each address found in VPNPROFILE file # + foreach ($Route in $VPNRulesxml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimize address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $inspoint = $Inpfile[0].IndexOf(""+$IPInfo[0].Trim()+""+""+$IPInfo[1].Trim()+""+"true"+"" + } + $Inpfile = $Inpfile[0].Insert($inspoint,$routes) + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate XML file; the original file has not been modified`n`n" -ForegroundColor Green + + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + + if ( $In_VPN_Only.Count -gt 0 ) + { + Write-Host "Unknown exclusion route IP addresses found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $OutFile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr=""+"
    "+$IPInfo[0].Trim()+"
    "+""+$IPInfo[1].Trim()+""+"true"+"    " + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + # Remove unknown IP address(es) # + $inspoint = $Inpfile[0].IndexOf($matchstr) + $Inpfile[0] = $Inpfile[0].Replace($matchstr,"") + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate XML file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} +``` + +## Version Support + +This solution is supported with the following versions of Windows: + +- Windows 10 1903/1909 and newer: Included, no action needed +- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437) +- Windows 10 1709 and lower: Exclusion routes are not supported + +- Windows 10 Enterprise 2019 LTSC: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported +- Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported + +Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied. + +## Other Considerations + +You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can be defined by known/static IP addresses; exclusions required for [Cisco WebEx](https://help.webex.com/WBX000028782/Network-Requirements-for-Webex-Teams-Services) or [Zoom](https://support.zoom.us/hc/en-us/articles/201362683) are good examples. + +## Examples + +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script: + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Configures an AlwaysOn IKEv2 VPN Connection using a basic script +.DESCRIPTION + Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling +.PARAMETERS + Parameters are defined in a ProfileXML object within the script itself +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +<#-- Define Key VPN Profile Parameters --#> +$ProfileName = 'Contoso VPN with Office 365 Exclusions' +$ProfileNameEscaped = $ProfileName -replace ' ', '%20' + +<#-- Define VPN ProfileXML --#> +$ProfileXML = ' + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
    13.107.6.152
    + 31 + true +     + +
    13.107.18.10
    + 31 + true +     + +
    13.107.128.0
    + 22 + true +     + +
    23.103.160.0
    + 20 + true +     + +
    40.96.0.0
    + 13 + true +     + +
    40.104.0.0
    + 15 + true +     + +
    52.96.0.0
    + 14 + true +     + +
    131.253.33.215
    + 32 + true +     + +
    132.245.0.0
    + 16 + true +     + +
    150.171.32.0
    + 22 + true +     + +
    191.234.140.0
    + 22 + true +     + +
    204.79.197.215
    + 32 + true +     + +
    13.107.136.0
    + 22 + true +     + +
    40.108.128.0
    + 17 + true +     + +
    52.104.0.0
    + 14 + true +     + +
    104.146.128.0
    + 17 + true +     + +
    150.171.40.0
    + 22 + true +     + +
    13.107.60.1
    + 32 + true +     + +
    13.107.64.0
    + 18 + true +     + +
    52.112.0.0
    + 14 + true +     + +
    52.120.0.0
    + 14 + true +     + + http://webproxy.corp.contsoso.com/proxy.pac + +    ' + +<#-- Convert ProfileXML to Escaped Format --#> +$ProfileXML = $ProfileXML -replace '<', '<' +$ProfileXML = $ProfileXML -replace '>', '>' +$ProfileXML = $ProfileXML -replace '"', '"' + +<#-- Define WMI-to-CSP Bridge Properties --#> +$nodeCSPURI = './Vendor/MSFT/VPNv2' +$namespaceName = "root\cimv2\mdm\dmmap" +$className = "MDM_VPNv2_01" + +<#-- Define WMI Session --#> +$session = New-CimSession + +<#-- Detect and Delete Previous VPN Profile --#> +try +{ + $deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options) + foreach ($deleteInstance in $deleteInstances) + { + $InstanceId = $deleteInstance.InstanceID + if ("$InstanceId" -eq "$ProfileNameEscaped") + { + $session.DeleteInstance($namespaceName, $deleteInstance, $options) + $Message = "Removed $ProfileName profile $InstanceId" + Write-Host "$Message" + } else { + $Message = "Ignoring existing VPN profile $InstanceId" + Write-Host "$Message" + } + } +} +catch [Exception] +{ + $Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +<#-- Create VPN Profile --#> +try +{ + $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property') + $newInstance.CimInstanceProperties.Add($property) + + $session.CreateInstance($namespaceName, $newInstance, $options) + $Message = "Created $ProfileName profile." + Write-Host "$Message" + Write-Host "$ProfileName profile summary:" + $session.EnumerateInstances($namespaceName, $className, $options) +} +catch [Exception] +{ + $Message = "Unable to create $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +$Message = "Script Complete" +Write-Host "$Message" + +``` + +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. + +>[!NOTE] +>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. + +```xml +truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
    13.107.6.152
    31true
    13.107.18.10
    31true
    13.107.128.0
    22true
    23.103.160.0
    20true
    40.96.0.0
    13true
    40.104.0.0
    15true
    52.96.0.0
    14true
    131.253.33.215
    32true
    132.245.0.0
    16true
    150.171.32.0
    22true
    191.234.140.0
    22true
    204.79.197.215
    32true
    13.107.136.0
    22true
    40.108.128.0
    17true
    52.104.0.0
    14true
    104.146.128.0
    17true
    150.171.40.0
    22true
    13.107.60.1
    32true
    13.107.64.0
    18true
    52.112.0.0
    14true
    52.120.0.0
    14true    http://webproxy.corp.contsoso.com/proxy.pac     +``` diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index c3c19ee400..6d79db4dc3 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -38,7 +38,7 @@ ## [Encrypted Hard Drive](encrypted-hard-drive.md) -## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) +## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) @@ -47,8 +47,8 @@ ##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) -### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) -#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) +### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-configmgr.md) +#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-configmgr.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) ### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 56c13ecbbe..a7a7e7fce7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -80,7 +80,9 @@ The server side configuration to enable Network Unlock also requires provisionin 1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. 2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. -3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. +3. The client computer broadcasts a vendor-specific DHCP request that contains: + 1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. + 2. An AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. 5. The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key. 6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key. diff --git a/windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg similarity index 100% rename from windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg rename to windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 2f83a67ca2..18236c1ddf 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -111,7 +111,7 @@ list volume If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). -![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/sccm-imageconfig.jpg) +![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg) #### Step 2: Verify the status of WinRE @@ -171,7 +171,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes You receive an error message that resembles the following: -> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. A required privilege is not held by the client. +> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client. ### Cause diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index d2a77a72e2..2bcfcf6622 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -23,12 +23,12 @@ ms.reviewer: - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. +If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >[!IMPORTANT] ->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

    If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

    If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. ## Manually create an EFS DRA certificate @@ -47,16 +47,16 @@ The recovery process included in this topic only works for desktop devices. WIP >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md). +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md). > [!NOTE] > This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). ## Verify your data recovery certificate is correctly set up on a WIP client computer -1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. +1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it's encrypted by WIP. -2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. +2. Open an app on your protected app list, and then create and save a file so that it's encrypted by WIP. 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: @@ -89,7 +89,7 @@ It's possible that you might revoke data from an unenrolled device only to later Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW - Where "*new_location*" is in a different directory. This can be on the employee’s device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. + Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**. @@ -109,12 +109,12 @@ It's possible that you might revoke data from an unenrolled device only to later 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + The Windows Credential service automatically recovers the employee's previously revoked keys from the `Recovery\Input` location. ## Auto-recovery of encryption keys Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment. -To help make sure employees can always access files, WIP creates an auto-recovery key that’s backed up to their Azure Active Directory (Azure AD) identity. +To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity. The employee experience is based on sign in with an Azure AD work account. The employee can either: @@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) -- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) +- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md similarity index 78% rename from windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 9d1178639c..a5baa19809 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -25,10 +25,10 @@ ms.date: 01/09/2020 - Windows 10 Mobile, version 1607 and later - Microsoft Endpoint Configuration Manager -Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy -After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. +After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. >[!TIP] > Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues. @@ -37,16 +37,16 @@ After you’ve installed and set up Configuration Manager for your organization, 1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) + ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png) 2. Click the **Create Configuration Item** button.

    The **Create Configuration Item Wizard** starts. - ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png) + ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png) 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -56,25 +56,25 @@ The **Create Configuration Item Wizard** starts. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. - ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png) + ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png) 6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. - ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png) + ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png) The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!IMPORTANT] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

    Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

    Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ### Add a store app rule to your policy -For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. +For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list. **To add a store app** @@ -82,13 +82,13 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** The **Add app rule** box appears. - ![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png) + ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick **Store App** from the **Rule template** drop-down list. @@ -122,7 +122,7 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

    For example:

    + > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.

    For example:

    > ```json > { > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -150,7 +150,7 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`. > For example:

    > ```json > { @@ -159,20 +159,20 @@ If you don't know the publisher or product name, you can find them for both desk > ``` ### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. +For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list. **To add a desktop app to your policy** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. - ![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png) + ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick **Desktop App** from the **Rule template** drop-down list. @@ -186,7 +186,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the Manages - All fields left as “*” + All fields left as "*" All files signed by any publisher. (Not recommended.) @@ -215,7 +215,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the -If you’re unsure about what to include for the publisher, you can run this PowerShell command: +If you're unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 Get-AppLockerFileInformation -Path "" @@ -232,7 +232,7 @@ Path Publisher Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. ### Add an AppLocker policy file -For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. +For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). @@ -257,7 +257,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos. ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) @@ -277,7 +277,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + The policy is saved and you'll see a message that says 1 rule was exported from the policy. **Example XML file**
    This is the XML file that AppLocker creates for Microsoft Photos. @@ -299,7 +299,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager. +12. After you've created your XML file, you need to import it by using Configuration Manager. **To import your Applocker policy file app rule using Configuration Manager** @@ -307,13 +307,13 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* The **Add app rule** box appears. - ![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png) + ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick the **AppLocker policy file** from the **Rule template** drop-down list. @@ -332,13 +332,13 @@ If you're running into compatibility issues where your app is incompatible with The **Add app rule** box appears. -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. -4. Fill out the rest of the app rule info, based on the type of rule you’re adding: +4. Fill out the rest of the app rule info, based on the type of rule you're adding: - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. @@ -360,13 +360,13 @@ We recommend that you start with **Silent** or **Override** while verifying with |-----|------------| |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | -|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.| -![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png) +![Create Configuration Item wizard, choose your WIP-protection level](images/wip-configmgr-appmgmt.png) ## Define your enterprise-managed identity domains -Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. +Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. @@ -374,16 +374,16 @@ You can specify multiple domains owned by your enterprise by separating them wit - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png) + ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. -There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). +There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). >[!IMPORTANT] >Every WIP policy should include policy that defines your enterprise network locations.
    ->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations. **To define where your protected apps can find and send enterprise data on you network** @@ -393,7 +393,7 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png) + ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png) @@ -404,7 +404,7 @@ There are no default locations included with WIP, you must add each of your netw - + @@ -414,12 +414,12 @@ There are no default locations included with WIP, you must add each of your netw - + -
    +
    @@ -442,7 +442,7 @@ There are no default locations included with WIP, you must add each of your netw 4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer. - ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png) + ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-configmgr-optsettings.png) - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. @@ -452,16 +452,16 @@ There are no default locations included with WIP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png) + ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png) - After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. +After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings. -![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png) +![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png) **To set your optional settings** 1. Choose to set any or all of the optional settings: @@ -478,13 +478,13 @@ After you've decided where your protected apps can access enterprise data on you - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions. - - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. + - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. 2. After you pick all of the settings you want to include, click **Summary**. @@ -494,12 +494,12 @@ After you've finished configuring your policy, you can review all of your info o **To view the Summary screen** - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. - ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png) + ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png) A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. ## Deploy the WIP policy -After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: +After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224) - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225) diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index 47d4db6ed7..684b78d8e2 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -82,7 +82,7 @@ When you create a sensitivity label, you can specify that the label be added to ![Sensitivity labels](images/sensitivity-label-auto-label.png) -A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver’s license numbers, and so on. +A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on. You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. ### Protection @@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas - Auto labelling requires Windows 10, version 1903 - Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy - [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center -- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md) +- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 8b5a188647..3fc752f3ca 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -53,7 +53,7 @@ This table provides info about the most common problems you might encounter whil - + @@ -121,17 +121,25 @@ This table provides info about the most common problems you might encounter whil - + - + + + + + +
    Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

    		Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    		Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
    Enterprise Network Domain Names (Required)
    Proxy servers proxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.    		Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

    This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.
    Internal proxy servers contoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.
    Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

    This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.
    Enterprise IPv4 Range (Required) Starting IPv4 Address: 3.4.0.1
    Ending IPv4 Address: 3.4.255.254
    Custom URI: 3.4.0.1-3.4.255.254,
    10.0.0.1-10.255.255.254
    WIP is designed for use by a single user per device.A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process. We recommend only having one user per managed device.
    Only enlightened apps can be managed without device enrollment If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintenionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment. If all apps need to be managed, enroll the device for MDM.
    By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it.
    		By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.
    		 Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
    Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. + If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. + It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually. +
    > [!NOTE] diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md similarity index 88% rename from windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md rename to windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index fc7e101613..a1e662c65e 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -28,6 +28,6 @@ Microsoft Endpoint Configuration Manager helps you create and deploy your enterp ## In this section |Topic |Description | |------|------------| -|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 7cb66960c1..961744bbf6 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc Create work documents in enterprise-allowed apps. For desktop:

    For mobile:

      @@ -113,7 +113,7 @@ You can try any of the processes included in these scenarios, but you should foc
      1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
        Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
      2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
        3. -
      3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

        Note
        Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

        A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
        4. +
      4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

        Note
        Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.

        A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
      @@ -172,17 +172,7 @@ You can try any of the processes included in these scenarios, but you should foc - - Stop Google Drive from syncing WIP protected files and folders. - -
        -
      • In silent configuration, add Google Drive to Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.
        • -
      • Google Drive details
        • - Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US - File=GOOGLEDRIVESYNC.EXE -
      - - + >[!NOTE] diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index ac15e0c03b..e282446cf6 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -6,101 +6,340 @@ ### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) ### [Preview features](microsoft-defender-atp/preview.md) ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) +### [Portal overview](microsoft-defender-atp/portal-overview.md) ### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md) -## [Deployment strategy](microsoft-defender-atp/deployment-strategy.md) +## [Plan deployment](microsoft-defender-atp/deployment-strategy.md) ## [Deployment guide]() ### [Deployment phases](microsoft-defender-atp/deployment-phases.md) - ### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md) - -### [Phase 2: Setup](microsoft-defender-atp/production-deployment.md) - +### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md) ### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md) ## [Security administration]() -### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) -### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) -### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -### [Configuration score](microsoft-defender-atp/configuration-score.md) -### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) -### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) -### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) -### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) -### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) +### [Threat & Vulnerability Management]() +#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) +#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md) +#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) +#### [Configuration score](microsoft-defender-atp/configuration-score.md) +#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) +#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) +#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) +#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) +#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) + +### [Attack surface reduction]() +#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) +#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md) +#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md) +#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md) + + +#### [Attack surface reduction controls]() +##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) +##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) +##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md) + +#### [Hardware-based isolation]() +##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md) +##### [Hardware-based isolation evaluation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) + +##### [Application isolation]() +###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md) +###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) +###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) + +##### [Application control](windows-defender-application-control/windows-defender-application-control.md) +###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md) + +##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) + +##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) + + +#### [Device control]() +##### [Control USB devices](device-control/control-usb-devices-using-intune.md) + +##### [Device Guard]() +###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +#### [Exploit protection]() +##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md) +##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md) +#### [Network protection]() +##### [Protect your network](microsoft-defender-atp/network-protection.md) +##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md) + + +#### [Web protection]() +##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md) +##### [Web threat protection]() +###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md) +###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md) +###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md) +##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md) + +#### [Controlled folder access]() +##### [Protect folders](microsoft-defender-atp/controlled-folders.md) +##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md) + + + +#### [Network firewall]() +##### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md) +##### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) + + +### [Next-generation protection]() +#### [Next-generation protection overview](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +#### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) + +#### [Configure next-generation protection]() +##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) + +##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) +###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) +###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) +###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md) +###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) +###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) + +##### [Configure behavioral, heuristic, and real-time protection]() +###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) +###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) +###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) + +##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) + +##### [Antivirus compatibility]() +###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md) +###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) + +##### [Deploy, manage updates, and report on antivirus]() +###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) +###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md) +####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) + +###### [Report on antivirus protection]() +####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) +####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md) + +###### [Manage updates and apply baselines]() +####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) +####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) +####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) +####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) +####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) +####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) + +##### [Customize, initiate, and review the results of scans and remediation]() +###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) + +###### [Configure and validate exclusions in antivirus scans]() +####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) +####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) + +###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) +###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) +###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) +###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) +###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) +###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) + +##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) + +##### [Manage antivirus in your business]() +###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) +###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) +###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) +###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) +###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) + +##### [Manage scans and remediation]() +###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) + +###### [Configure and validate exclusions in antivirus scans]() +####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) +####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) + +###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) + +##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) +###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) +###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) +###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) +###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) +###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) +###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) + +##### [Manage next-generation protection in your business]() +###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md) +###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) +###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) +###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) +###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) +###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) + + +#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) +#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) + + +### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) +#### [What's New](microsoft-defender-atp/mac-whatsnew.md) + +#### [Deploy]() +##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) +##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md) +##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md) +##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md) +#### [Update](microsoft-defender-atp/mac-updates.md) + +#### [Configure]() +##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) +##### [Set preferences](microsoft-defender-atp/mac-preferences.md) +##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) + +#### [Troubleshoot]() +##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md) +##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md) +##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md) +##### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md) + +#### [Privacy](microsoft-defender-atp/mac-privacy.md) +#### [Resources](microsoft-defender-atp/mac-resources.md) + + +### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) +#### [What's New](microsoft-defender-atp/linux-whatsnew.md) +#### [Deploy]() +##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) +##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md) +##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md) + +#### [Update](microsoft-defender-atp/linux-updates.md) + + +#### [Configure]() +##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md) +##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) +##### [Set preferences](microsoft-defender-atp/linux-preferences.md) + +#### [Troubleshoot]() +##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) +##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) +##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) + + +#### [Resources](microsoft-defender-atp/linux-resources.md) + +### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) + ## [Security operations]() -### [Portal overview](microsoft-defender-atp/portal-overview.md) -### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md) -### [Incidents queue]() -#### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) -#### [Manage incidents](microsoft-defender-atp/manage-incidents.md) -#### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md) -### [Alerts queue]() -#### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md) -#### [Manage alerts](microsoft-defender-atp/manage-alerts.md) -#### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md) -#### [Investigate files](microsoft-defender-atp/investigate-files.md) -#### [Investigate machines](microsoft-defender-atp/investigate-machines.md) -#### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md) -#### [Investigate a domain](microsoft-defender-atp/investigate-domain.md) -##### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md) -#### [Investigate a user account](microsoft-defender-atp/investigate-user.md) +### [Endpoint detection and response]() +#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md) +#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md) +#### [Incidents queue]() +##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) +##### [Manage incidents](microsoft-defender-atp/manage-incidents.md) +##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md) + +#### [Alerts queue]() +##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md) +##### [Manage alerts](microsoft-defender-atp/manage-alerts.md) +##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md) +##### [Investigate files](microsoft-defender-atp/investigate-files.md) +##### [Investigate machines](microsoft-defender-atp/investigate-machines.md) +##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md) +##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md) +###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md) +##### [Investigate a user account](microsoft-defender-atp/investigate-user.md) + +#### [Machines list]() +##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md) +##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md) + +#### [Take response actions]() +##### [Take response actions on a machine]() +###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md) +###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags) +###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) +###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session) +###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) +###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) +###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution) +###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network) +###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert) +###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center) + +##### [Take response actions on a file]() +###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md) +###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) +###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine) +###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) +###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert) +###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) +###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file) +###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) +###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis) +###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports) +###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis) -### [Machines list]() -#### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md) -#### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md) +#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) +##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) -### [Take response actions]() -#### [Take response actions on a machine]() -##### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md) -##### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags) -##### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) -##### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session) -##### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) -##### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) -##### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution) -##### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network) -##### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert) -##### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center) - -#### [Take response actions on a file]() -##### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md) -##### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) -##### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine) -##### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) -##### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert) -##### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) -##### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file) -##### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) -##### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis) -##### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports) -##### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis) - -### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) -#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) +#### [Investigate entities using Live response]() +##### [Investigate entities on machines](microsoft-defender-atp/live-response.md) +##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) -### [Investigate entities using Live response]() -#### [Investigate entities on machines](microsoft-defender-atp/live-response.md) -#### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) -### [Threat analytics](microsoft-defender-atp/threat-analytics.md) + + +##### [Shadow protection?](windows-defender-antivirus/shadow-protection.md) + +#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md) + +#### [Reporting]() +##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md) +##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md) +##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md) +#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md) + + +#### [Custom detections]() +##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) +##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) + + + + + + +### [Automated investigation and response]() +#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) ### [Advanced hunting]() #### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md) @@ -128,17 +367,13 @@ ### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) -### [Reporting]() -#### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md) -#### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md) -#### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md) -#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md) +### [Threat analytics](microsoft-defender-atp/threat-analytics.md) + + + -### [Custom detections]() -#### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) -#### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) @@ -174,171 +409,6 @@ #### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md) #### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md) -### [Manage capabilities]() - -#### [Configure attack surface reduction]() -##### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md) - -#### [Hardware-based isolation]() -##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) - -##### [Application isolation]() -###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) -###### [Application control](windows-defender-application-control/windows-defender-application-control.md) - -##### [Device control]() -###### [Control USB devices](device-control/control-usb-devices-using-intune.md) - -###### [Device Guard]() -####### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - -####### [Memory integrity]() -######## [Understand memory integrity](device-guard/memory-integrity.md) -######## [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -######## [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md) - -##### [Exploit protection]() -###### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) -###### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md) -###### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) - -##### [Network protection](microsoft-defender-atp/enable-network-protection.md) -##### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md) - -##### [Attack surface reduction controls]() -###### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) -###### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md) - -##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) - -#### [Configure next-generation protection]() -##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) - -##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) -###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) -###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) -###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md) -###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) -###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) - -##### [Configure behavioral, heuristic, and real-time protection]() -###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) -###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) - -##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) - -##### [Antivirus compatibility]() -###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md) -###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) - -##### [Deploy, manage updates, and report on antivirus]() -###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) -###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md) -####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) - -###### [Report on antivirus protection]() -####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) -####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md) - -###### [Manage updates and apply baselines]() -####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) -####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) -####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) -####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) -####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) -####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) - -##### [Customize, initiate, and review the results of scans and remediation]() -###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) - -###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) - -###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) -###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) - -##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) - -##### [Manage antivirus in your business]() -###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) - -##### [Manage scans and remediation]() -###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) - -###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) - -###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) - -##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) -###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) - -##### [Manage next-generation protection in your business]() -###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md) -###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) - -#### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) -##### [What's New](microsoft-defender-atp/mac-whatsnew.md) -##### [Deploy]() -###### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) -###### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md) -###### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md) -###### [Manual deployment](microsoft-defender-atp/mac-install-manually.md) -##### [Update](microsoft-defender-atp/mac-updates.md) -##### [Configure]() -###### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) -###### [Set preferences](microsoft-defender-atp/mac-preferences.md) -###### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) -##### [Troubleshoot]() -###### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md) -###### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md) -###### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md) -###### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md) -##### [Privacy](microsoft-defender-atp/mac-privacy.md) -##### [Resources](microsoft-defender-atp/mac-resources.md) - - -#### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) -##### [Deploy]() -###### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) -###### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md) -###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md) -##### [Update](microsoft-defender-atp/linux-updates.md) -##### [Configure]() -###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) -###### [Set preferences](microsoft-defender-atp/linux-preferences.md) -##### [Resources](microsoft-defender-atp/linux-resources.md) - - -#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) - ### [Configure portal settings]() #### [Set up preferences](microsoft-defender-atp/preferences-setup.md) #### [General]() @@ -373,54 +443,10 @@ ### [Configure integration with other Microsoft solutions]() #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) -#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) - ## Reference -### [Capabilities]() -#### [Threat & Vulnerability Management]() -##### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) -##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) - -#### [Attack surface reduction]() -##### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) -##### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md) -##### [Hardware-based isolation]() -###### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md) -###### [Application isolation]() -####### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md) -####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) - -###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) - -##### [Application control](windows-defender-application-control/windows-defender-application-control.md) -##### [Exploit protection](microsoft-defender-atp/exploit-protection.md) -##### [Network protection](microsoft-defender-atp/network-protection.md) - -##### [Web protection]() -###### [Web protection overview](microsoft-defender-atp/web-protection-overview.md) -###### [Web threat protection]() -####### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md) -####### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md) -####### [Respond to web threats](microsoft-defender-atp/web-protection-response.md) -###### [Web content filtering](microsoft-defender-atp/web-content-filtering.md) - -##### [Controlled folder access](microsoft-defender-atp/controlled-folders.md) -##### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md) -##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - -#### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -##### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) -##### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) - - -#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md) -##### [Shadow protection](windows-defender-antivirus/shadow-protection.md) - -#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) - ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) @@ -557,7 +583,7 @@ ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) ##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) -##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) +##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) @@ -591,28 +617,9 @@ ### [Information protection in Windows overview]() #### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md) -#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md) - - -### [Evaluate Microsoft Defender ATP]() -#### [Attack surface reduction and next-generation capability evaluation]() -##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md) -##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) -##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md) -##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md) -##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md) -##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md) -##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md) -##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) -##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) - - ### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md) - - - ### [Helpful resources](microsoft-defender-atp/helpful-resources.md) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index be304c5715..fcd89c3a81 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -26,7 +26,6 @@ Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https:// Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies.

      -![String of images showing scores](./images/Transparency-report-November1.png) **Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)** @@ -54,7 +53,7 @@ The AV-TEST Product Review and Certification Report tests on three categories: p - September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD) -### AV-Comparatives: Protection rating of 99.9% in the latest test +### AV-Comparatives: Protection rating of 99.6% in the latest test Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 8d2f79fd76..7dfd283a11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/15/2018 ms.reviewer: manager: dansimp ms.custom: asr diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 828455927c..f1b9737820 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -101,7 +101,7 @@ The following sections describe each of the 15 attack surface reduction rules. T [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported -[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported +[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported [Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported [Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported @@ -273,9 +273,6 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. -> [!IMPORTANT] -> File and folder exclusions do not apply to this attack surface reduction rule. - > [!WARNING] > Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index d40085138f..06bd8455af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -25,7 +25,7 @@ ms.topic: conceptual >[!NOTE] > Secure score is now part of Threat & Vulnerability Management as Configuration score. -Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories: +Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories: - Application - Operating system @@ -33,7 +33,7 @@ Your Configuration score is visible in the [Threat & Vulnerability Management da - Accounts - Security controls -A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. +Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations. ## How it works @@ -43,35 +43,31 @@ A higher configuration score means your endpoints are more resilient from cybers The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: - Compare collected configurations to the collected benchmarks to discover misconfigured assets -- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration +- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) - Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) - Collect and monitor changes of security control configuration state from all assets -From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks. - ## Improve your security configuration -You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. +You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. -1. From the Configuration score card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md), select **Security controls**. The [**Security recommendations**](tvm-security-recommendation.md) page opens to shows the list of recommendations related to security controls. +1. From the Configuration score card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field. 2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**. ![Security controls related security recommendations](images/tvm_security_controls.png) -3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. +3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up. - >![Request remediation](images/tvm_request_remediation.png). - - You will see a confirmation message that the remediation task has been created. +4. **Submit request**. You will see a confirmation message that the remediation task has been created. >![Remediation task creation confirmation](images/tvm_remediation_task_created.png) -4. Save your CSV file. +5. Save your CSV file. ![Save csv file](images/tvm_save_csv_file.png) -5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system. +6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system. -6. Review the machine **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase. +7. Review the **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase. >[!IMPORTANT] >To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: @@ -86,17 +82,14 @@ You can improve your security configuration when you remediate issues from the s ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 0b7d271c77..70890b48ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,7 +1,7 @@ --- -title: Configure HP ArcSight to pull Microsoft Defender ATP detections -description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center -keywords: configure hp arcsight, security information and events management tools, arcsight +title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center +keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure HP ArcSight to pull Microsoft Defender ATP detections +# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections **Applies to:** @@ -28,14 +28,15 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections. +You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections. >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin -Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. + +Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -50,7 +51,7 @@ This section guides you in getting the necessary information to set and use the - WDATP-connector.properties - WDATP-connector.jsonparser.properties - You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization. + You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization. - Make sure you generate the following tokens and have them ready: - Access token @@ -58,7 +59,8 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight FlexConnector +## Install and configure Micro Focus ArcSight FlexConnector + The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

      You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. @@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ - NOTE: - You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. + > [!NOTE] + > + > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**. @@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be -
      7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

      - If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

      If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. +
      + +7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. -7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window. + If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. + + If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. -8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. +8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. -9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. +9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. -10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. +10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. -11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. +11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. -12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. +12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. -13. Select **Install as a service** and click **Next**. +13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. -14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. +14. Select **Install as a service** and click **Next**. -15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. +15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. -16. Finish the installation by selecting **Exit** and **Next**. +16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. + +17. Finish the installation by selecting **Exit** and **Next**. + +## Install and configure the Micro Focus ArcSight console -## Install and configure the HP ArcSight console 1. Follow the installation wizard through the following tasks: - Introduction - License Agreement @@ -158,18 +167,19 @@ The following steps assume that you have completed all the required steps in [Be 7. Click **Done** to quit the installer. -8. Login to the HP ArcSight console. +8. Login to the Micro Focus ArcSight console. 9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**. 10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. -You can now run queries in the HP ArcSight console. +You can now run queries in the Micro Focus ArcSight console. Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. -## Troubleshooting HP ArcSight connection +## Troubleshooting Micro Focus ArcSight connection + **Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`. **Symptom:** You get the following error message: @@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof `Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token` **Solution:** + 1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?". + 2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value: `reauthenticate=true`. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index f810639c75..66efa55144 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -38,8 +38,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Transparent proxy - Web Proxy Auto-discovery Protocol (WPAD) -> [!NOTE] -> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + > [!NOTE] + > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). - Manual static proxy configuration: - Registry based configuration @@ -102,7 +102,8 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/ ## Enable access to Microsoft Defender ATP service URLs in the proxy server -If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443: +If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list. +If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning. > [!NOTE] > settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
      @@ -120,6 +121,16 @@ United States | ```us.vortex-win.data.microsoft.com```
      ```ussus1eastprod.bl If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. +### Log analytics agent requirements + +The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. + +|Agent Resource|Ports |Direction |Bypass HTTPS inspection| +|------|---------|--------|--------| +|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes | +|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | +|*.blob.core.windows.net |Port 443 |Outbound|Yes | + ## Microsoft Defender ATP service backend IP range If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 75e7f8f006..371aa16ecd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -25,7 +25,7 @@ ms.topic: article - Windows Server 2012 R2 - Windows Server 2016 - Windows Server, version 1803 -- Windows Server, 2019 +- Windows Server, 2019 and later - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) @@ -38,7 +38,7 @@ The service supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 - Windows Server, version 1803 -- Windows Server 2019 +- Windows Server 2019 and later For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). @@ -113,7 +113,7 @@ The following steps are required to enable this integration: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). +3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). Once completed, you should see onboarded servers in the portal within an hour. @@ -153,11 +153,13 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh b. Run the following PowerShell command to verify that the passive mode was configured: - ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + ```PowerShell + Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} + ``` c. Confirm that a recent event containing the passive mode event is found: - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) 3. Run the following command to check if Windows Defender AV is installed: @@ -172,8 +174,8 @@ Microsoft Defender ATP integrates with Azure Security Center to provide a compre The following capabilities are included in this integration: - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). -> [!NOTE] -> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + > [!NOTE] + > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. - Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png new file mode 100644 index 0000000000..1e1e039268 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png new file mode 100644 index 0000000000..a03e0732c7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png new file mode 100644 index 0000000000..5d1d428e9c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png new file mode 100644 index 0000000000..ba0576849e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png new file mode 100644 index 0000000000..4854fa9f2f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png new file mode 100644 index 0000000000..3f1eb5d2b1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png new file mode 100644 index 0000000000..9a4fbebf8a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png new file mode 100644 index 0000000000..7928a984a4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png new file mode 100644 index 0000000000..1c81f3d4f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png new file mode 100644 index 0000000000..86de17e266 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png new file mode 100644 index 0000000000..eb8b56ee9b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png new file mode 100644 index 0000000000..6754cafb4a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png new file mode 100644 index 0000000000..da1c678a78 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png new file mode 100644 index 0000000000..b1c10100a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png new file mode 100644 index 0000000000..4e584cf8ff Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png new file mode 100644 index 0000000000..409a17bd31 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png new file mode 100644 index 0000000000..eff967231f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png new file mode 100644 index 0000000000..633bdd07fc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png new file mode 100644 index 0000000000..4fa5bcefbd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png new file mode 100644 index 0000000000..57475dbc33 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png new file mode 100644 index 0000000000..8049e9ff17 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png new file mode 100644 index 0000000000..b66bf94eed Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png new file mode 100644 index 0000000000..ac9b6fdbe0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png new file mode 100644 index 0000000000..34013530b7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png new file mode 100644 index 0000000000..ec02855c2e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png new file mode 100644 index 0000000000..3ca2697396 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png new file mode 100644 index 0000000000..bae2cefcb1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png new file mode 100644 index 0000000000..6b88d7c627 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png new file mode 100644 index 0000000000..7d6da4c656 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png new file mode 100644 index 0000000000..73d85b26ad Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png new file mode 100644 index 0000000000..9106d38d7e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png deleted file mode 100644 index a0f5f3e295..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png new file mode 100644 index 0000000000..c7c9c0b861 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png new file mode 100644 index 0000000000..48af27eb1f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png new file mode 100644 index 0000000000..a066310eae Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png new file mode 100644 index 0000000000..5a7ce86cbd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png new file mode 100644 index 0000000000..d8b73ba265 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png deleted file mode 100644 index cf9f274980..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png deleted file mode 100644 index 9af2ad6945..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png deleted file mode 100644 index ec4fa8bc44..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md deleted file mode 100644 index eb0adb5890..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: Configure information protection in Windows -ms.reviewer: -description: Learn how to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. -keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Configure information protection in Windows - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](../../includes/prerelease.md)] - -Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. - ->[!TIP] -> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). - -If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file. - - - -## Prerequisites -- Endpoints need to be on Windows 10, version 1809 or later -- You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection integration -- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports) - - -## Configure endpoint data loss prevention -Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored on the device and enable WIP on them. - ->[!NOTE] ->- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy. ->- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data. - -1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. -2. Define which labels need to get WIP protection in Office 365 Security and Compliance. - - 1. Go to: **Classifications > Labels**. - 2. Create a label or edit an existing one. - 3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP. - - ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png) - - 4. Repeat for every label that you want to get WIP applied to in Windows. - - - - -## Configure auto labeling - -Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it based on context to identify sensitive information types. - -Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled. The file is protected with Endpoint data loss prevention. - ->[!NOTE] -> Auto-labeling requires Windows 10, version 1903. - - -1. In Office 365 Security & Compliance, go to **Classifications > Labels**. - -2. Create a new label or edit an existing one. - - -3. Set a policy for Data classification: - - 1. Go through the label creation wizard. - 2. When you reach the Auto labeling page, turn on auto labeling toggle on. - 3. Add a new auto-labeling rule with the conditions that you require. - - ![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png) - - 4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label". - - - - - - -## Related topic -- [Information protection in Windows overview](information-protection-in-windows-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index 800351a160..34cb228572 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -27,7 +27,6 @@ ms.topic: conceptual Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. -Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. >[!TIP] > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). @@ -95,36 +94,6 @@ InformationProtectionLogs_CL - Enable Azure Information Protection integration in Microsoft Defender Security Center: - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**. -## Data protection - -### Endpoint data loss prevention - -For data to be protected, they must first be identified through labels. - -Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. - -When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention. - -For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices). - -![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) - -Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. - -This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. - -For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). - -## Auto labeling - -Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types. - -Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention. - -> [!NOTE] -> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves. - -For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md new file mode 100644 index 0000000000..ef0797f456 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -0,0 +1,118 @@ +--- +title: Configure and validate exclusions for Microsoft Defender ATP for Linux +description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes. +keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configure and validate exclusions for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. + +> [!IMPORTANT] +> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. + +You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans. + +Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux. + +> [!WARNING] +> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. + +## Supported exclusion types + +The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux. + +Exclusion | Definition | Examples +---|---|--- +File extension | All files with the extension, anywhere on the machine | `.test` +File | A specific file identified by the full path | `/var/log/test.log`
      `/var/log/*.log`
      `/var/log/install.?.log` +Folder | All files under the specified folder | `/var/log/`
      `/var/*/` +Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
      `cat`
      `c?t` + +File, folder, and process exclusions support the following wildcards: + +Wildcard | Description | Example | Matches +---|---|---|--- +\* | Matches any number of any characters including none | `/var/\*/\*.log` | `/var/log/system.log` +? | Matches any single character | `file?.log` | `file1.log`
      `file2.log` + +## How to configure the list of exclusions + +### From the management console + +For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + +### From the command line + +Run the following command to see the available switches for managing exclusions: + +```bash +$ mdatp --exclusion +``` + +Examples: + +- Add an exclusion for a file extension: + + ```bash + $ mdatp --exclusion --add-extension .txt + Configuration updated successfully + ``` + +- Add an exclusion for a file: + + ```bash + $ mdatp --exclusion --add-folder /var/log/dummy.log + Configuration updated successfully + ``` + +- Add an exclusion for a folder: + + ```bash + $ mdatp --exclusion --add-folder /var/log/ + Configuration updated successfully + ``` + +- Add an exclusion for a process: + + ```bash + $ mdatp --exclusion --add-process cat + Configuration updated successfully + ``` + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using `curl` to download a test file. + +In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path. + +```bash +$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt +``` + +If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). + +If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: + +```bash +echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt +``` + +You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 1ea46c138a..5d6395cdf9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -43,6 +43,9 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +> [!WARNING] +> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + ### RHEL and variants (CentOS and Oracle Linux) - Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. @@ -201,15 +204,19 @@ Download the onboarding package from Microsoft Defender Security Center: 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - ```bash - ls -l - total 8 - -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip +```bash +ls -l +``` - unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` +`total 8` +`-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip` + +```bash +unzip WindowsDefenderATPOnboardingPackage.zip +``` + +`Archive: WindowsDefenderATPOnboardingPackage.zip` +`inflating: WindowsDefenderATPOnboarding.py` ## Client configuration @@ -231,14 +238,12 @@ Download the onboarding package from Microsoft Defender Security Center: ```bash mdatp --health orgId - [your organization identifier] ``` 4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected: ```bash mdatp --health healthy - 1 ``` > [!IMPORTANT] @@ -248,22 +253,21 @@ Download the onboarding package from Microsoft Defender Security Center: - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): - ```bash - mdatp --health realTimeProtectionEnabled - 1 - ``` + ```bash + mdatp --health realTimeProtectionEnabled + ``` - Open a Terminal window. Copy and execute the following command: - ``` bash - curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt - ``` + ``` bash + curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt + ``` - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats: - ```bash - mdatp --threat --list --pretty - ``` + ```bash + mdatp --threat --list --pretty + ``` ## Log installation issues diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 373d409cfd..d097245cf8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -139,6 +139,9 @@ Create subtask or role files that contribute to an actual task. First create the In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. + > [!WARNING] + > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the following commands, replace *[distro]* and *[version]* with the information you've identified. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 89133920ec..92c721fedf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -1,6 +1,6 @@ --- title: Deploy Microsoft Defender ATP for Linux with Puppet -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -48,7 +48,7 @@ Download the onboarding package from Microsoft Defender Security Center: ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - + ```bash $ ls -l total 8 @@ -60,7 +60,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create a Puppet manifest -You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* module available from puppetlabs, and assumes that the apt module has been installed on your Puppet server. +You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server. Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: @@ -84,46 +84,74 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +> [!WARNING] +> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the below commands, replace *[distro]* and *[version]* with the information you've identified: > [!NOTE] -> In case of Oracle Linux, replace *[distro]* with “rhel”. +> In case of RedHat, Oracle EL, and CentOS 8, replace *[distro]* with 'rhel'. ```puppet -class install_mdatp { +# Puppet manifest to install Microsoft Defender ATP. +# @param channel The release channel based on your environment, insider-fast or prod. +# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'. +# @param version The Linux distribution release number, e.g. 7.4. - if ($osfamily == 'Debian') { - apt::source { 'microsoftpackages' : - location => 'https://packages.microsoft.com/[distro]/[version]/prod', # change the version and distro based on your OS - release => '[channel]', - repos => 'main', - key => { - 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', - 'server' => 'https://packages.microsoft.com/keys/microsoft.asc', - }, +class install_mdatp ( +$channel = 'insiders-fast', +$distro = undef, +$version = undef +){ + case $::osfamily { + 'Debian' : { + apt::source { 'microsoftpackages' : + location => "https://packages.microsoft.com/${distro}/${version}/prod", + release => $channel, + repos => 'main', + key => { + 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', + 'server' => 'keyserver.ubuntu.com', + }, + } } - } - else { - yumrepo { 'microsoftpackages' : - baseurl => 'https://packages.microsoft.com/[distro]/[version]/[channel]', # change the version and distro based on your OS - enabled => 1, - gpgcheck => 1, - gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + 'RedHat' : { + yumrepo { 'microsoftpackages' : + baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}", + descr => "packages-microsoft-com-prod-${channel}", + enabled => 1, + gpgcheck => 1, + gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + } } + default : { fail("${::osfamily} is currently not supported.") } } - package { 'mdatp': - ensure => 'installed', - } + case $::osfamily { + /(Debian|RedHat)/: { + file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: + ensure => directory, + owner => root, + group => root, + mode => '0755' + } - file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: - ensure => directory, - } - file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': - mode => "0644", - source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', + file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': + source => 'puppet:///modules/mdatp/mdatp_onboard.json', + owner => root, + group => root, + mode => '0600', + require => File['/etc/opt/microsoft/mdatp'] + } + + package { 'mdatp': + ensure => 'installed', + require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json'] + } + } + default : { fail("${::osfamily} is currently not supported.") } } } ``` @@ -162,7 +190,7 @@ orgId : "[your organization identifier]" You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: ```bash -$ mdatp --health healthy +mdatp --health healthy ``` The above command prints `1` if the product is onboarded and functioning as expected. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md index c2505dae33..0ac647a0b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md @@ -18,7 +18,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Configuring Microsoft Defender ATP for static proxy discovery +# Configure Microsoft Defender ATP for Linux for static proxy discovery **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md new file mode 100644 index 0000000000..308e1695b1 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -0,0 +1,91 @@ +--- +title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux +ms.reviewer: +description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux +keywords: microsoft, defender, atp, linux, cloud, connectivity, communication +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +## Run the connectivity test + +To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line: + +```bash +$ mdatp --connectivity-test +``` + +If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. + +## Troubleshooting steps for environments without proxy or with transparent proxy + +To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal: + +```bash +curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' +``` + +The output from this command should be similar to: + +``` +OK https://x.cp.wd.microsoft.com/api/report +OK https://cdn.x.cp.wd.microsoft.com/ping +``` + +## Troubleshooting steps for environments with static proxy + +> [!WARNING] +> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. +> +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. + +If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port: + +```bash +$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' +``` + +Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands. + +To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`: + +```bash +#Environment="HTTPS_PROXY=http://address:port" +``` + +Also ensure that the correct static proxy address is filled in to replace `address:port`. + +If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting: + +```bash +$ sudo systemctl daemon-reload; sudo systemctl restart mdatp +``` + +Upon success, attempt another connectivity test from the command line: + +```bash +$ mdatp --connectivity-test +``` + +If the problem persists, contact customer support. + +## Resources + +- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md new file mode 100644 index 0000000000..0982c630fa --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -0,0 +1,121 @@ +--- +title: Troubleshoot installation issues for Microsoft Defender ATP for Linux +ms.reviewer: +description: Troubleshoot installation issues for Microsoft Defender ATP for Linux +keywords: microsoft, defender, atp, linux, installation +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot installation issues for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +## Verify if installation succeeded + +An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using: +```bash +$ sudo journalctl | grep 'microsoft-mdatp' > installation.log +$ grep 'postinstall end' installation.log + +microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 +``` +An output from the previous command with correct date and time of installation indicates success. + +Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file. + +## Installation failed + +Check if the mdatp service is running +```bash +$ systemctl status mdatp + +● mdatp.service - Microsoft Defender ATP + Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago + Main PID: 1966 (wdavdaemon) + Tasks: 105 (limit: 4915) + CGroup: /system.slice/mdatp.service + ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon + ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon + └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon +``` + +## Steps to troubleshoot if mdatp service isn't running + +1. Check if “mdatp” user exists: +```bash +$ id “mdatp” +``` +If there’s no output, run +```bash +$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp +``` + +2. Try enabling and restarting the service using: +```bash +$ sudo systemctl enable mdatp +$ sudo systemctl restart mdatp +``` + +3. If mdatp.service isn't found upon running the previous command, run +```bash +$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service + +where is +/lib/systemd/system for Ubuntu and Debian distributions +/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES +``` +and then rerun step 2. + +4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details. +Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. + +5. Ensure that the daemon has executable permission. +```bash +$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon + +-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon +``` +If the daemon doesn't have executable permissions, make it executable using: +```bash +$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon +``` +and retry running step 2. + +6. Ensure that the file system containing wdavdaemon isn't mounted with “noexec”. + +## If mdatp service is running, but EICAR text file detection doesn't work + +1. Check the file system type using: +```bash +$ findmnt -T +``` +Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned. + +## Command-line tool “mdatp” isn't working + +1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command: +```bash +$ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp +``` +and try again. + +If none of the above steps help, collect the diagnostic logs: +```bash +$ sudo mdatp --diagnostic --create +``` +Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md new file mode 100644 index 0000000000..55da60a602 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -0,0 +1,82 @@ +--- +title: Troubleshoot performance issues for Microsoft Defender ATP for Linux +description: Troubleshoot performance issues in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, performance +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot performance issues for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux. + +Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. + +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux. + +The following steps can be used to troubleshoot and mitigate these issues: + +1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues. + + If your device is not managed by your organization, real-time protection can be disabled from the command line: + + ```bash + $ mdatp --config realTimeProtectionEnabled false + ``` + + If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + +2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux. + + > [!NOTE] + > This feature is available in version 100.90.70 or newer. + + This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: + + ```bash + $ mdatp config real_time_protection_statistics_enabled on + ``` + + This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: + + ```bash + $ mdatp health + ``` + + Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it: + + ```bash + $ mdatp --config realTimeProtectionEnabled true + ``` + + To collect current statistics, run: + + ```bash + $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file + ``` + + The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + + > [!NOTE] + > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + +3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. + +4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. + + See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md new file mode 100644 index 0000000000..9ebc453a7a --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -0,0 +1,27 @@ +--- +title: What's new in Microsoft Defender Advanced Threat Protection for Linux +description: List of major changes for Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, whatsnew, release +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: security +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# What's new in Microsoft Defender Advanced Threat Protection for Linux + +## 100.90.70 + +- Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types) +- Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool +- Improvements to make the package installation more robust +- Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 80231ef03d..aa9058cedb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -1,6 +1,6 @@ --- title: Investigate entities on machines using live response in Microsoft Defender ATP -description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time. +description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time. keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,29 +17,42 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Investigate entities on machines using live response +# Investigate entities on devices using live response **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. +Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats –- in real time. -Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. +Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW] +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW] -With live response, analysts will have the ability to: -- Run basic and advanced commands to do investigative work +With live response, analysts can do all of the following tasks: +- Run basic and advanced commands to do investigative work on a device - Download files such as malware samples and outcomes of PowerShell scripts -- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level +- Download files in the background (new!) +- Upload a PowerShell script or executable to the library and run it on a device from a tenant level - Take or undo remediation actions - ## Before you begin -Before you can initiate a session on a machine, make sure you fulfill the following requirements: -- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later. +Before you can initiate a session on a device, make sure you fulfill the following requirements: + +- **Verify that you're running a supported version of Windows 10**
      +Devices must be running one of the following versions of Windows 10: + - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later + - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) + - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) + - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) + - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) + +- **Make sure to install appropriate security updates**
      + - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384) + - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) + - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) + - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816) - **Enable live response from the settings page**
      You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. @@ -52,18 +65,18 @@ You'll need to enable the live response capability in the [Advanced features set >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. - Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. + Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - **Ensure that you have the appropriate permissions**
      - Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). + Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md). > [!IMPORTANT] > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. - Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. + Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role. ## Live response dashboard overview -When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: +When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following: - Who created the session - When the session started @@ -79,81 +92,109 @@ The dashboard also gives you access to: ## Initiate a live response session on a machine 1. Log in to Microsoft Defender Security Center. -2. Navigate to the machines list page and select a machine to investigate. The machine page opens. - >[!NOTE] - >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later. +2. Navigate to the devices list page and select a machine to investigate. The machines page opens. -2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine. -3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands). -4. After completing your investigation, select **Disconnect session**, then select **Confirm**. +3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device. +4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands). +5. After completing your investigation, select **Disconnect session**, then select **Confirm**. ## Live response commands -Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md). + +Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md). ### Basic commands -The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). -Command | Description -:---|:---|:--- -cd | Changes the current directory. -cls | Clears the console screen. -connect | Initiates a live response session to the machine. -connections | Shows all the active connections. -dir | Shows a list of files and subdirectories in a directory -drivers | Shows all drivers installed on the machine. -fileinfo | Get information about a file. -findfile | Locates files by a given name on the machine. -help | Provides help information for live response commands. -persistence | Shows all known persistence methods on the machine. -processes | Shows all processes running on the machine. -registry | Shows registry values. -scheduledtasks| Shows all scheduled tasks on the machine. -services | Shows all services on the machine. -trace | Sets the terminal's logging mode to debug. +The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md). +| Command | Description | +|---|---|--- | +|`cd` | Changes the current directory. | +|`cls` | Clears the console screen. | +|`connect` | Initiates a live response session to the device. | +|`connections` | Shows all the active connections. | +|`dir` | Shows a list of files and subdirectories in a directory. | +|`download &` | Downloads a file in the background. | +drivers | Shows all drivers installed on the device. | +|`fg ` | Returns a file download to the foreground. | +|`fileinfo` | Get information about a file. | +|`findfile` | Locates files by a given name on the device. | +|`help` | Provides help information for live response commands. | +|`persistence` | Shows all known persistence methods on the device. | +|`processes` | Shows all processes running on the device. | +|`registry` | Shows registry values. | +|`scheduledtasks` | Shows all scheduled tasks on the device. | +|`services` | Shows all services on the device. | +|`trace` | Sets the terminal's logging mode to debug. | ### Advanced commands -The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). +The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). -Command | Description -:---|:--- -analyze | Analyses the entity with various incrimination engines to reach a verdict. -getfile | Gets a file from the machine.
      NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. -run | Runs a PowerShell script from the library on the machine. -library | Lists files that were uploaded to the live response library. -putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. -remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
      - File: delete
      - Process: stop, delete image file
      - Service: stop, delete image file
      - Registry entry: delete
      - Scheduled task: remove
      - Startup folder item: delete file
      NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. -undo | Restores an entity that was remediated. +| Command | Description | +|---|---| +| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. | +| `getfile` | Gets a file from the device.
      NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. | +| `run` | Runs a PowerShell script from the library on the device. | +| `library` | Lists files that were uploaded to the live response library. | +| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. | +| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:
      - File: delete
      - Process: stop, delete image file
      - Service: stop, delete image file
      - Registry entry: delete
      - Scheduled task: remove
      - Startup folder item: delete file
      NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. +|`undo` | Restores an entity that was remediated. | ## Use live response commands + The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c). -The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity. +The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity. ### Get a file from the machine -For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation. + +For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation. >[!NOTE] >There is a file size limit of 750mb. +### Download a file in the background + +To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background. + +- To download a file in the background, in the live response command console, type `download &` +- If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z. +- To bring a file download to the foreground, in the live response command console, type `fg ` + +Here are some examples: + + +|Command |What it does | +|---------|---------| +|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. | +|`fg 1234` |Returns a download with command ID *1234* to the foreground | + + ### Put a file in the library + Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level. Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them. -You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with. +You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with. + +#### To upload a file in the library -**To upload a file in the library:** 1. Click **Upload file to library**. + 2. Click **Browse** and select the file. + 3. Provide a brief description. + 4. Specify if you'd like to overwrite a file with the same name. + 5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. + 6. Click **Confirm**. + 7. (Optional) To verify that the file was uploaded to the library, run the `library` command. @@ -163,9 +204,8 @@ Anytime during a session, you can cancel a command by pressing CTRL + C. >[!WARNING] >Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled. - - ### Automatically run prerequisite commands + Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error. You can use the auto flag to automatically run prerequisite commands, for example: @@ -174,8 +214,8 @@ You can use the auto flag to automatically run prerequisite commands, for exampl getfile c:\Users\user\Desktop\work.txt -auto ``` - ## Run a PowerShell script + Before you can run a PowerShell script, you must first upload it to the library. After uploading the script to the library, use the `run` command to run the script. @@ -185,9 +225,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. - - ## Apply command parameters + - View the console help to learn about command parameters. To learn about an individual command, run: `help ` @@ -204,9 +243,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the ` -type file -id - auto` or `remediate file - auto`. - - ## Supported output types + Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands: - `-output json` @@ -215,8 +253,8 @@ Live response supports table and JSON format output types. For each command, the >[!NOTE] >Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. - ## Supported output pipes + Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt. Example: @@ -225,27 +263,24 @@ Example: processes > output.txt ``` - - ## View the command log -Select the **Command log** tab to see the commands used on the machine during a session. + +Select the **Command log** tab to see the commands used on the device during a session. Each command is tracked with full details such as: - ID - Command line - Duration - Status and input or output side bar - - - ## Limitations + - Live response sessions are limited to 10 live response sessions at a time - Large scale command execution is not supported - A user can only initiate one session at a time -- A machine can only be in one session at a time -- There is a file size limit of 750mb when downloading files from a machine +- A device can only be in one session at a time +- There is a file size limit of 750mb when downloading files from a device -## Related topic +## Related article - [Live response command examples](live-response-command-examples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 4a410131e3..7e0983fb5f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -41,10 +41,10 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f Exclusion | Definition | Examples ---|---|--- -File extension | All files with the extension, anywhere on the machine | .test -File | A specific file identified by the full path | /var/log/test.log -Folder | All files under the specified folder | /var/log/ -Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat
      cat +File extension | All files with the extension, anywhere on the machine | `.test` +File | A specific file identified by the full path | `/var/log/test.log` +Folder | All files under the specified folder | `/var/log/` +Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
      `cat` ## How to configure the list of exclusions @@ -64,7 +64,7 @@ Select the type of exclusion that you wish to add and follow the prompts. You can validate that your exclusion lists are working by using `curl` to download a test file. -In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path. +In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path. ```bash $ curl -o test.txt https://www.eicar.org/download/eicar.com.txt @@ -72,7 +72,7 @@ $ curl -o test.txt https://www.eicar.org/download/eicar.com.txt If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). -If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: +If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: ```bash echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 94bb66756c..2e8c52861f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.date: 04/03/2020 --- # JAMF-based deployment for Microsoft Defender ATP for Mac @@ -73,17 +74,17 @@ You need to create a configuration profile and a policy to start deploying Micro ### Configuration Profile -The configuration profile contains a custom settings payload that includes: +The configuration profile contains a custom settings payload that includes the following: - Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver +- Approved Kernel Extensions payload to enable running the Microsoft kernel driver -To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list. +To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list. >[!IMPORTANT] - > You must set the Preference Domain as "com.microsoft.wdav.atp" + > You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro). -![Configuration profile screenshot](../windows-defender-antivirus/images/MDATP-16-PreferenceDomain.png) +![Configuration profile screenshot](./images/msdefender-mac-config-profile.png) ### Approved Kernel Extension diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 6c5a04ada0..19065efe0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -310,17 +310,6 @@ Manage the preferences of the endpoint detection and response (EDR) component of | **Data type** | Dictionary (nested preference) | | **Comments** | See the following sections for a description of the dictionary contents. | -#### Enable / disable early preview - -Specify whether to enable EDR early preview features. - -||| -|:---|:---| -| **Domain** | `com.microsoft.wdav` | -| **Key** | earlyPreview | -| **Data type** | Boolean | -| **Possible values** | true (default)
      false | - #### Device tags Specify a tag name and its value. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index d23525631d..57fde3cc75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -26,6 +26,13 @@ ms.topic: conceptual > > If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. +## 100.90.27 + +- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel +- New product icon +- Other user experience improvements +- Bug fixes + ## 100.86.92 - Improvements around compatibility with Time Machine diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index ae1856f3eb..ed7b91f290 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -122,7 +122,7 @@ It's important to understand the following prerequisites prior to creating indic >[!IMPORTANT] > Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. -> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection (link) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS):
      +> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
      > NOTE: >- IP is supported for all three protocols >- Encrypted URLs (full path) can only be blocked on first party browsers diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 2819fb191f..03f09902ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -70,6 +70,8 @@ In general you need to take the following steps: - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md) - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md) +If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender ATP for Linux](linux-support-install.md). + ### System requirements - Supported Linux server distributions and versions: @@ -117,25 +119,12 @@ Microsoft Defender ATP can discover a proxy server by using the following discov If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md). -## Validating cloud connectivity +> [!WARNING] +> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. +> +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. -To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser. - -If you prefer the command line, you can also check the connection by running the following command in Terminal: - -```bash -$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' -``` - -The output from this command should be similar to the following: - -> `OK https://x.cp.wd.microsoft.com/api/report` -> `OK https://cdn.x.cp.wd.microsoft.com/ping` - -Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal: -```bash -$ mdatp --connectivity-test -``` +For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page. ## How to update Microsoft Defender ATP for Linux diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index d5135bbd1c..a22b112426 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -79,11 +79,17 @@ The following table lists the services and their associated URLs that your netwo | United States | unitedstates.x.cp.wd.microsoft.com
      us-v20.events.data.microsoft.com
      ussus1eastprod.blob.core.windows.net 
      ussus1westprod.blob.core.windows.net | Microsoft Defender ATP can discover a proxy server by using the following discovery methods: +- Proxy auto-config (PAC) - Web Proxy Auto-discovery Protocol (WPAD) - Manual static proxy configuration If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. +> [!WARNING] +> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used. +> +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. + To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser. If you prefer the command line, you can also check the connection by running the following command in Terminal: diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 0f48e4e5e4..6b17eb0031 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -96,7 +96,7 @@ Ensure that your machines: ## Related topics - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) @@ -104,10 +104,6 @@ Ensure that your machines: - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 2e8bae4127..3a1e55ca42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -1,5 +1,5 @@ --- -title: Onboard to the Micrsoft Defender ATP service +title: Onboard to the Microsoft Defender ATP service description: keywords: search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Onboard to the Micrsoft Defender ATP service +# Onboard to the Microsoft Defender ATP service **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -34,7 +34,7 @@ Deploying Microsoft Defender ATP is a three-phase process: Setup the Microsoft Defender ATP service -
      Phase 2: Setup
      +
      Phase 2: Set up
      @@ -73,39 +73,39 @@ below to onboard systems with Configuration Manager. 1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-device-collections.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-device-collections.png) 2. Right Click **Device Collection** and select **Create Device Collection**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-device-collection.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-device-collection.png) 3. Provide a **Name** and **Limiting Collection**, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-limiting-collection.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-limiting-collection.png) 4. Select **Add Rule** and choose **Query Rule**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-query-rule.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-query-rule.png) 5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-direct-membership.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-direct-membership.png) 6. Select **Criteria** and then choose the star icon. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-criteria.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-criteria.png) 7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-simple-value.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-simple-value.png) 8. Select **Next** and **Close**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-membership-rules.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-membership-rules.png) 9. Select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-confirm.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-confirm.png) After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. @@ -123,7 +123,7 @@ Manager and deploy that policy to Windows 10 devices. ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png) -3. Select **Download package**. +3. Select **Download package**. ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png) @@ -132,11 +132,11 @@ Manager and deploy that policy to Windows 10 devices. 6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-policy.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-policy.png) 7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-policy-name.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-policy-name.png) 8. Click **Browse**. @@ -184,11 +184,11 @@ Before the systems can be onboarded into the workspace, the deployment scripts n Edit the InstallMMA.cmd with a text editor, such as notepad and update the following lines and save the file: - ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png) + ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png) Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file: - ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png) + ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png) Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating Systems: @@ -257,15 +257,15 @@ MMA for enrollment into the workspace. 9. Set Run to **Hidden**. -10. Set **Program can run** to **Whether or not a user is logged on**. +10. Set **Program can run** to **Whether or not a user is logged on**. -11. Click **Next**. +11. Click **Next**. -12. Set the **Maximum allowed run time** to 720. +12. Set the **Maximum allowed run time** to 720. -13. Click **Next**. +13. Click **Next**. - ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png) + ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png) 14. Verify the configuration, then click **Next**. @@ -275,12 +275,12 @@ MMA for enrollment into the workspace. 16. Click **Close**. -17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP +17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP Onboarding Package just created and select **Deploy**. 18. On the right panel select the appropriate collection. -19. Click **OK**. +19. Click **OK**. ## Next generation protection Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. @@ -318,7 +318,7 @@ needs on how Antivirus is configured. ![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png) -3. Right-click on the newly created antimalware policy and select **Deploy** . +3. Right-click on the newly created antimalware policy and select **Deploy**. ![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 4c4cf5edcf..261734d68b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -32,12 +32,10 @@ Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously col The response capabilities give you the power to promptly remediate threats by acting on the affected entities. -## In this section -Topic | Description -:---|:--- -[Security operations dashboard](security-operations-dashboard.md) | Explore a high level overview of detections, highlighting where response actions are needed. -[Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) | View and organize the incidents queue, and manage and investigate alerts. -[Alerts queue](alerts-queue.md) | View and organize the machine alerts queue, and manage and investigate alerts. -[Machines list](machines-view-overview.md) | Investigate machines with generated alerts and search for specific events over time. -[Take response actions](response-actions.md) | Learn about the available response actions and apply them to machines and files. +## Related topics +- [Security operations dashboard](security-operations-dashboard.md) +- [Incidents queue](view-incidents-queue.md) +- [Alerts queue](alerts-queue.md) +- [Machines list](machines-view-overview.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index bf5f352335..2436a0642e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -38,7 +38,7 @@ Deploying Microsoft Defender ATP is a three-phase process: Onboard to the Microsoft Defender ATP service -
      Phase 2: Setup
      +
      Phase 2: Set up
      @@ -180,5 +180,5 @@ how the endpoint security suite should be enabled. ## Next step ||| |:-------|:-----| -|![Phase 2: Setup](images/setup.png)
      [Phase 2: Setup](production-deployment.md) | Setup Microsoft Defender ATP deployment +|![Phase 2: Setup](images/setup.png)
      [Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender ATP deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 5ee99f304a..4fabe73b03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -1,5 +1,5 @@ --- -title: Setup Microsoft Defender ATP deployment +title: Set up Microsoft Defender ATP deployment description: keywords: search.product: eADQiWindows 10XVcnh @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Setup Microsoft Defender ATP deployment +# Set up Microsoft Defender ATP deployment **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -36,7 +36,7 @@ Deploying Microsoft Defender ATP is a three-phase process:       Onboard to the Microsoft Defender ATP service -
      Phase 2: Setup
      +
      Phase 2: Set up
      @@ -48,7 +48,7 @@ Deploying Microsoft Defender ATP is a three-phase process: -You are currently in the setup phase. +You are currently in the set up phase. In this deployment scenario, you'll be guided through the steps on: - Licensing validation @@ -69,9 +69,9 @@ Checking for the license state and whether it got properly provisioned, can be d 1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**. - - On the screen you will see all the provisioned licenses and their current **Status**. + On the screen you will see all the provisioned licenses and their current **Status**. - ![Image of billing licenses](images/atp-billing-subscriptions.png) + ![Image of billing licenses](images/atp-billing-subscriptions.png) ## Cloud Service Provider validation @@ -88,7 +88,7 @@ To gain access into which licenses are provisioned to your company, and to check ## Tenant Configuration -When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine. +When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine. 1. From a web browser, navigate to . @@ -103,7 +103,7 @@ When accessing [Microsoft Defender Security Center](https://securitycenter.windo 4. Set up preferences. - **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this setup and Microsoft will not transfer the data from the specified geolocation. + **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation. **Data retention** - The default is 6 months. @@ -160,11 +160,8 @@ services if a computer is not permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under: -- Administrative Templates \> Windows Components \> Data Collection and - Preview Builds \> Configure Authenticated Proxy usage for the Connected User - Experience and Telemetry Service - - - Set it to **Enabled** and select **Disable Authenticated Proxy usage** + - Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service + - Set it to **Enabled** and select **Disable Authenticated Proxy usage** 1. Open the Group Policy Management Console. 2. Create a policy or edit an existing policy based off the organizational practices. @@ -261,4 +258,4 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https: ## Next step ||| |:-------|:-----| -|![Phase 3: Onboard](images/onboard.png)
      [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them \ No newline at end of file +|![Phase 3: Onboard](images/onboard.png)
      [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 393ba7c546..d69c963e40 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -27,6 +27,17 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] +## APIs + +Threat and Vulnerability Management supports multiple APIs. Microsoft Defender Advanced Threat Protection (ATP) Threat & Vulnerability Management APIs are soon to be generally available. See the following topics for related APIs: + +- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) +- [Machine APIs](machine.md) +- [Recommendation APIs](vulnerability.md) +- [Score APIs](score.md) +- [Software APIs](software.md) +- [Vulnerability APIs](vulnerability.md) + ## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit 1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center. @@ -85,27 +96,18 @@ To view a list of version that have reached end of support, or end or support so After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details. -## Use APIs - -Threat and vulnerability management supports multiple APIs. See the following topics for related APIs: - -- [Machine APIs](machine.md) -- [Recommendation APIs](vulnerability.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) - ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md index 8e21eddb4d..d415db238d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md @@ -52,5 +52,14 @@ If while trying to take an action during a live response session, you encounter 4. Navigate to your TEMP folder. 5. Run the action you wanted to take on the copied file. +## Slow live response sessions or delays during initial connections +Live response leverages Microsoft Defender ATP sensor registration with WNS service in Windows. +If you are having connectivity issues with live response, please confirm the following: +1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). +2. WpnService (Windows Push Notifications System Service) is not disabled. +Please refer to the articles below to fully understand the WpnService service behavior and requirements: +- [Windows Push Notification Services (WNS) overview](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview) +- [Enterprise Firewall and Proxy Configurations to Support WNS Traffic](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config) +- [Microsoft Push Notifications Service (MPNS) Public IP ranges](https://www.microsoft.com/en-us/download/details.aspx?id=44535) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index e4cd47a5a8..317cac63d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting --- @@ -68,7 +68,7 @@ If the script fails and the event is an error, you can check the event ID in the Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. -10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
      ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
      Verify that the script was ran as an administrator. +10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
      ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
      Verify that the script has been run as an administrator. 15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

      If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). @@ -79,7 +79,7 @@ Event ID | Error Type | Resolution steps ### Troubleshoot onboarding issues using Microsoft Intune You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. -If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. +If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. Use the following tables to understand the possible causes of issues while onboarding: @@ -87,7 +87,7 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: @@ -140,7 +140,7 @@ If the deployment tools used does not indicate an error in the onboarding proces 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. + > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. 3. Select **Operational** to load the log. @@ -282,28 +282,125 @@ You might also need to check the following: - Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. -- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, +- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, ![Image of Services](images/atp-services.png) -- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. +- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) -- Check to see that machines are reflected in the **Machines list** in the portal. +- Check to see that machines are reflected in the **Machines list** in the portal. + +## Confirming onboarding of newly built machines +There may be instances when onboarding is deployed on a newly built machine but not completed. + +The steps below provide guidance for the following scenario: +- Onboarding package is deployed to newly built machines +- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed +- Machine is turned off or restarted before the end user performs a first logon +- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed + +>[!NOTE] +>The following steps are only relevant when using Microsoft Endpoint Configuration Manager (current branch) -## Licensing requirements -Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: +1. Create an application in Microsoft Endpoint Configuration Manager current branch. -- Windows 10 Enterprise E5 -- Windows 10 Education E5 -- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-1.png) -For more information, see [Windows 10 Licensing](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx#tab=2). +2. Select **Manually specify the application information**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-2.png) +3. Specify information about the application, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-3.png) + +4. Specify information about the software center, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-4.png) + +5. In **Deployment types** select **Add**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-5.png) + +6. Select **Manually specify the deployment type information**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-6.png) + +7. Specify information about the deployment type, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-7.png) + +8. In **Content** > **Installation program** specify the command: `net start sense`. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-8.png) + +9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-9.png) + +10. Specify the following detection rule details, then select **OK**: + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-10.png) + +11. In **Detection method** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-11.png) + +12. In **User Experience**, specify the following information, then select **Next**: + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-12.png) + +13. In **Requirements**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-13.png) + +14. In **Dependencies**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-14.png) + +15. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-15.png) + +16. In **Completion**, select **Close**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-16.png) + +17. In **Deployment types**, select **Next**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-17.png) + +18. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-18.png) + + The status is then displayed + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-19.png) + +19. In **Completion**, select **Close**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-20.png) + +20. You can now deploy the application by right-clicking the app and selecting **Deploy**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-21.png) + +21. In **General** select **Automatically distribute content for dependencies** and **Browse**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-22.png) + +22. In **Content** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-23.png) + +23. In **Deployment settings**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-24.png) + +24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-25.png) + +25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-26.png) + +26. In **Alerts** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-27.png) + +27. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-28.png) + + The status is then displayed + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-29.png) + +28. In **Completion**, select **Close**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-30.png) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 839193db64..05264dcf03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,5 +1,5 @@ --- -title: Threat & Vulnerability Management dashboard overview +title: Threat & Vulnerability Management dashboard insights description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score search.appverid: met150 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Threat & Vulnerability Management dashboard overview +# Threat & Vulnerability Management dashboard insights **Applies to:** @@ -85,8 +85,8 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) @@ -94,4 +94,5 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index f245ad4692..3078eee09f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -70,21 +70,16 @@ To lower your threat and vulnerability exposure, follow these steps. 6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases. - ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Recommendation APIs](vulnerability.md) -- [Machine APIs](machine.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 6162539530..96d0ba1377 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -26,84 +26,42 @@ ms.topic: conceptual >[!NOTE] >To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on. -After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created. +After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks through the integration with Microsoft Intune where remediation tickets are created. Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. -## How remediation requests work +## Navigate to the Remediation page -When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune. +You can access the Remediation page a few different ways: -The dashboard will show the status of your top remediation activities. Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task. - -## Accessing the remediation page - -You can access the remediation page in a few places in the portal: - -- Security recommendations flyout panel -- Navigation menu -- Top remediation activities in the dashboard - -### Security recommendation flyout page - -You'll see remediation options when you select one of the security recommendations in the [Security recommendations page](tvm-security-recommendation.md). - -1. From the flyout panel, you'll see the security recommendation details including next steps. Select **Remediation options**. -2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**. -3. Select a remediation due date. -4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance. - ->[!NOTE] ->If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune. - -If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. +- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Top remediation activities card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) ### Navigation menu -1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. - - To see software which has reached end-of-support, select **Software uninstall** from the **Remediation type** filter. For specific software versions which have reached end-of-support, select **Software update** from the **Remediation type** filter. Select **In progress** then **Apply**. -![Screenshot of the remediation page filters for software update and uninstall](images/remediation_swupdatefilter.png) - -2. Select the remediation activity that you want to view. -![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png) +Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. ### Top remediation activities in the dashboard -1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** card. The list is sorted and prioritized based on what is listed in the **Top security recommendations**. -2. Select the remediation activity that you want to view. +View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task. +![Screenshot of the remediation page flyout for a software which reached end-of-support](images/tvm-remediation-activities-card.png) -## Exception options +## Remediation activities -You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md). +When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune. -When you select a [security recommendation](tvm-security-recommendation.md), it opens a flyout screen with details and options for your next steps. Select **Exception options** to fill out the justification and context. +Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. +![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png) -![Screenshot of exception flyout screen](images/tvm-exception-flyout.png) +## Exceptions -### Exception justification - -If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options: - -- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus -- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow -- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive -- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization -- **Other** - False positive - -![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png) - -### Where to find exceptions +When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md). The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. ![Screenshot of exception tab and filters](images/tvm-exception-filters.png) -You can also select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. Selecting the link opens a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. - -![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png) - ### Exception actions and statuses You can take the following actions on an exception: @@ -129,20 +87,22 @@ The exception impact shows on both the Security recommendations page column and ![Screenshot of where to find the exception impact](images/tvm-exception-impact.png) +### View exceptions in other places + +Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. + +![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png) + ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Security recommendation](tvm-security-recommendation.md) +- [Security recommendations](tvm-security-recommendation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Recommendation APIs](vulnerability.md) -- [Machine APIs](machine.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index d28353f90b..4859488e84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -23,15 +23,15 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] -Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendation helps shorten the time to mitigate or remediate vulnerabilities and drive compliance. +Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance. Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. -## Criteria +## How it works Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time. @@ -41,33 +41,41 @@ Each machine in the organization is scored based on three important factors to h - **Business value** - Your organization's assets, critical processes, and intellectual properties -## Navigate to security recommendations +## Navigate to the Security recommendations page -You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page. +Access the Security recommendations page a few different ways: -### Top security recommendations in the Threat & Vulnerability Management dashboard +- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Top security recommendations in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) -In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. +View related security recommendations in the following places: -![Screenshot of security recommendations page](images/top-security-recommendations350.png) - -The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation. +- Software page +- Machine page ### Navigation menu Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization. +### Top security recommendations in the Threat & Vulnerability Management dashboard + +In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. + +![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) + +The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation. + ## Security recommendations overview -You will be able to view the recommendation, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags. +View recommendations, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags. -The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color. +The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green. -![Screenshot of security recommendations page](images/tvmsecrec-updated.png) +![Example of the landing page for software inventory.](images/tvmsecrec-updated.png) ### Icons -Useful icons also quickly calls your attention to
      • ![Possible active alert](images/tvm_alert_icon.png) possible active alerts
      • ![Threat insight](images/tvm_bug_icon.png) associated public exploits
      • ![Recommendation insight](images/tvm_insight_icon.png) recommendation insights

      +Useful icons also quickly calls your attention to:
      • ![Arrow hitting a target](images/tvm_alert_icon.png) possible active alerts
      • ![red bug](images/tvm_bug_icon.png) associated public exploits
      • ![light bulb](images/tvm_insight_icon.png) recommendation insights

      ### Investigate @@ -77,22 +85,22 @@ Select the security recommendation that you want to investigate or process. From the flyout, you can do any of the following: -- **Open software page** - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time. +- **Open software page** - Open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-support, and charts of the exposure trend over time. - **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. -- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive. +- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. >[!NOTE] >When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center. ## Request remediation -The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. +The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. ### Enable Microsoft Intune connection -To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on. +To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**. See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. @@ -106,16 +114,18 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT 4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. +If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. + >[!NOTE] >If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune. ## File for exception -With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request. +As an alternative to a remediation request, you can create exceptions for recommendations. There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons. -Exceptions can be created for both *Security update* and *Configuration change* recommendations. +Exceptions can be created for both Security update and Configuration change recommendations. When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. @@ -124,13 +134,17 @@ When an exception is created for a recommendation, the recommendation is no long 2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. -> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png) + The following list details the justifications behind the exception options: + + - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus + - **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow + - **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive + - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization + - **Other** - False positive 3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. -![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png) -4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). -![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png) +4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab to view all your exceptions (current and past). ## Report inaccuracy @@ -144,26 +158,19 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. -![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png) - 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. - ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Recommendation APIs](vulnerability.md) -- [Machine APIs](machine.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index c56539dc1b..2f1c8da158 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -27,51 +27,65 @@ ms.topic: conceptual Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it. -## Navigate through your software inventory - -1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. -![Screenshot of software inventory page](images/software_inventory_filter.png) - -2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**. - -3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. - ## How it works -In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment. +In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md). Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. +## Navigate to the Software inventory page + +You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). + +View software on specific machines in the individual machines pages from the [machines list](machines-view-overview.md). + +## Software inventory overview + +The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. +![Example of the landing page for software inventory.](images/software_inventory_filter.png) + +Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. + +![Flyout example page of "Visual Studio 2017" from the software inventory page.](images/tvm-software-inventory-flyout500.png) + +## Software pages + +Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information: + +- Side panel with vendor information, prevalence of the software in the organization (including number of machines it is installed on, and exposed machines that are not patched), whether and exploit is available, and impact to your exposure score +- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed machines +- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the machines that the software is installed on, and the specific versions of the software with the number of machines that have each version installed and number of vulnerabilities. + +![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) + +## Software evidence + +We now show evidence of where we detected a specific software on a machine from the registry, disk or both machine on where we detected a certain software. +You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence." + +From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. + +![Software evidence example of Windows 10 from the machines list, showing software evidence registry path.](images/tvm-software-evidence.png) + ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page. - -1. Select one of the software rows. A flyout will appear. - -2. Select "Report inaccuracy" in the flyout - -![Screenshot of Report inaccuracy control](images/software-inventory-report-inaccuracy500.png) +You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information. +1. Open the software flyout on the Software inventory page. +2. Select **Report inaccuracy**. 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. - -![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png) - 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Security recommendation](tvm-security-recommendation.md) +- [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Recommendation APIs](vulnerability.md) -- [Machine APIs](machine.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index d9198f7ccc..64933d374c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -34,18 +34,19 @@ Windows 7 | Operating System (OS) vulnerabilities Windows 8.1 | Not supported Windows 10 1607-1703 | Operating System (OS) vulnerabilities Windows 10 1709+ |Operating System (OS) vulnerabilities
      Software product vulnerabilities
      Operating System (OS) configuration assessment
      Security controls configuration assessment
      Software product configuration assessment -Windows Server 2008R2 | Operating System (OS) vulnerabilities
      Software product vulnerabilities
      Operating System (OS) configuration assessment
      Security controls configuration assessment
      Software product configuration assessment -Windows Server 2012R2 | Operating System (OS) vulnerabilities
      Software product vulnerabilities
      Operating System (OS) configuration assessment
      Security controls configuration assessment
      Software product configuration assessment +Windows Server 2008 R2 | Operating System (OS) vulnerabilities
      Software product vulnerabilities
      Operating System (OS) configuration assessment
      Security controls configuration assessment
      Software product configuration assessment +Windows Server 2012 R2 | Operating System (OS) vulnerabilities
      Software product vulnerabilities
      Operating System (OS) configuration assessment
      Security controls configuration assessment
      Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities
      Software product vulnerabilities
      Operating System (OS) configuration assessment
      Security controls configuration assessment
      Software product configuration assessment Windows Server 2019 | Operating System (OS) vulnerabilities
      Software product vulnerabilities
      Operating System (OS) configuration assessment
      Security controls configuration assessment
      Software product configuration assessment MacOS | Not supported (planned) Linux | Not supported (planned) -Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list. +Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list. ## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) @@ -53,4 +54,5 @@ Some of the above prerequisites might be different from the [Minimum requirement - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 37bfee2589..4b7a5cb97e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -27,14 +27,7 @@ ms.topic: conceptual Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. -The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights. - -You can access the list of vulnerabilities in a few places in the portal: - -- Global search -- Weaknesses option in the navigation menu -- Top vulnerable software widget in the dashboard -- Discovered vulnerabilities page in the machine page +The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights. >[!IMPORTANT] >To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: @@ -45,7 +38,27 @@ You can access the list of vulnerabilities in a few places in the portal: ## Navigate to the Weaknesses page -When new vulnerabilities are released, you can find out how many of your assets are exposed in the **Weaknesses** page of the Threat & Vulnerability Management navigation menu. If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization. +Access the Weaknesses page a few different ways: + +- Selecting **Weaknesses** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Global search + +### Navigation menu + +Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open the list of CVEs. + +### Vulnerabilities in global search + +1. Go to the global search drop-down menu. +2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for. +![Global search box with the dropdown option "vulnerability" selected and an example CVE.](images/tvm-vuln-globalsearch.png) +3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates. + +To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. + +## Weaknesses overview + +If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization. ![tvm-breach-insights](images/tvm-weaknesses-overview.png) @@ -54,89 +67,64 @@ When new vulnerabilities are released, you can find out how many of your assets You can view the related breach and threat insights in the **Threat** column when the icons are colored red. >[!NOTE] - > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and breach insight ![possible active alert](images/tvm_alert_icon.png) icon. + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon ![Simple drawing of a red bug.](images/tvm_bug_icon.png) and breach insight icon ![Simple drawing of an arrow hitting a target.](images/tvm_alert_icon.png). The breach insights icon is highlighted if there is a vulnerability found in your organization. -![tvm-breach-insights](images/tvm-breach-insights.png) +![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](images/tvm-breach-insights.png) The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories. -![tvm-threat-insights](images/tvm-threat-insights.png) +![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](images/tvm-threat-insights.png) +## View Common Vulnerabilities and Exposures (CVE) entries in other places - -## Vulnerabilities in global search - -1. Go to the global search drop-down menu. -2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for. -![tvm-vuln-globalsearch](images/tvm-vuln-globalsearch.png) -3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates. - -To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. - -## Top vulnerable software in the dashboard +### Top vulnerable software in the dashboard 1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. -![top vulnerable software card](images/tvm-top-vulnerable-software500.png) +![Top vulnerable software card with four columns: software, weaknesses, threats, exposed machines.](images/tvm-top-vulnerable-software500.png) 2. Select the software that you want to investigate to go a drill down page. 3. Select the **Discovered vulnerabilities** tab. -4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. +4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. -![Windows server drill down overview](images/windows-server-drilldown.png) +![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png) -## Discover vulnerabilities in the machine page +### Discover vulnerabilities in the machine page -1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens. -2. In the **Machines list** page, select the machine name that you want to investigate. +View related weaknesses information in the machine page. + +1. Go to the Microsoft Defender Security Center navigation menu bar, then select the machine icon. The **Machines list** page opens. +2. In the **Machines list** page, select the machine name that you want to investigate.
      ![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)
      -3. The machine page will open with details and response options for the machine you want to investigate. +3. The machine page will open with details and response options for the machine you want to investigate. 4. Select **Discovered vulnerabilities**.
      ![Screenshot of the machine page with details and response options](images/tvm-discovered-vulnerabilities.png)
      5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic. -### CVE Detection logic +#### CVE Detection logic Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page) that shows the detection logic and source. -![Screenshot of the machine page with details and response options](images/cve-detection-logic.png) - +![Detection Logic example which lists the software detected on the device and the KBs.](images/cve-detection-logic.png) ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page. +You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information. -1. Select the **Discovered vulnerabilities** tab. - -2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**. -![Screenshot of Report inaccuracy control from the machine page in the Discovered vulnerabilities tab](images/tvm_report_inaccuracy_vuln.png) -
      A flyout pane opens.
      -![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_vulnflyout.png) - -3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu. -
      ![Screenshot of discovered vulnerability inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_vulnoptions.png)
      - -4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported. - -5. Include your machine name for investigation context. - - > [!NOTE] - > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. - -6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context. +1. Open the CVE on the Weaknesses page. +2. Select **Report inaccuracy**. +3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. +4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. ## Related topics + +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Security recommendation](tvm-security-recommendation.md) +- [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index accf7f1ab2..07e009dc0e 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -28,6 +28,9 @@ Describes the best practices, location, values, management, and security conside Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy. +> [!NOTE] +> If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings. + ### Possible values The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours). diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 33827edea0..e09392cea5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: manager: dansimp --- @@ -25,13 +25,13 @@ manager: dansimp ## Overview Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. -- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode. -- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.) +- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and threats are not remediated by Windows Defender Antivirus.) - If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. ## Antivirus and Microsoft Defender ATP -The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. +The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. | Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state | @@ -47,19 +47,19 @@ The following table summarizes what happens with Windows Defender Antivirus when (      1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. -If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: -- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: ForceDefenderPassiveMode +If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: +- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` +- Name: ForceDefenderPassiveMode - Value: 1 See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. ->[!IMPORTANT] ->Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. -> ->In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. -> ->Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). +> [!IMPORTANT] +> Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. +> +> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. +> +> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). ## Functionality and features available in each state @@ -79,17 +79,17 @@ The following table summarizes the functionality and features that are available ## Keep the following points in mind -If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. - + In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode. ->[!WARNING] ->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md). - +> [!WARNING] +> You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md). + ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 9e6f941382..e07be3cc57 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.date: 02/28/2018 - Windows 10 - Windows Server 2016 -As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). +As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). If you have an internal CA, complete these steps to create a code signing certificate. Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. @@ -98,7 +98,7 @@ Now that the template is available to be issued, you must request one from the c >[!NOTE] >If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client. -This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: +This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: 1. Right-click the certificate, point to **All Tasks**, and then click **Export**. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 484dd83dc0..1ea8df15e9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -81,7 +81,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` >[!NOTE] ->Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values. +>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values. When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor. @@ -95,16 +95,16 @@ Packages can fail for the following reasons: - To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start) - `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt` - - ReadJournal command should throw an error if the older USNs don’t exist anymore due to overflow + - ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow - For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help - To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small) - To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously) - Package files that change hash each time the package is installed - Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector -- Files with an invalid signature blob or otherwise “unhashable” files +- Files with an invalid signature blob or otherwise "unhashable" files - This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec. - - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can’t be allowed by hash due to authenticode hashing algorithm rejecting it) - - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this “unhashable” state and renders the file unable to be allowed by Device Guard (regardless of if you try to allow directly by policy or resign with Package Inspector) + - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it) + - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector) ## Catalog signing with SignTool.exe @@ -124,7 +124,7 @@ To sign the existing catalog file, copy each of the following commands into an e `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` -2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. +2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store. 3. Sign the catalog file with Signtool.exe: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index 5c089e58ac..1700437f22 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -24,7 +24,7 @@ ms.date: 02/28/2018 - Windows 10 - Windows Server 2016 -WDAC policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. +WDAC policies can easily be deployed and managed with Group Policy. Windows Defender allows you to simplify deployment Windows Defender hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. > [!NOTE] > This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md), earlier in this topic. diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 04a21aa98f..1fe1a3c6b0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -35,7 +35,7 @@ You should consider using WDAC as part of your organization's application contro - You have deployed or plan to deploy the supported versions of Windows in your organization. - You need improved control over the access to your organization's applications and the data your users access. -- Your organization has a well-defined process for application management and deployed. +- Your organization has a well-defined process for application management and deployment. - You have resources to test policies against the organization's requirements. - You have resources to involve Help Desk or to build a self-help process for end-user application access issues. - The group's requirements for productivity, manageability, and security can be controlled by restrictive policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index 76cec7912f..da33a878fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -31,7 +31,7 @@ This topic covers guidelines for using code signing control classic Windows apps ## Reviewing your applications: application signing and catalog files -Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. +Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing). @@ -45,7 +45,7 @@ To obtain signed applications or embed signatures in your in-house applications, To use catalog signing, you can choose from the following options: -- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal). +- Use the Windows Defender signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. - Create your own catalog files, which are described in the next section. @@ -53,12 +53,12 @@ To use catalog signing, you can choose from the following options: Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application. -Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also. +Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also. After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files. > [!NOTE] -> Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. +> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 232b40eec6..9e0b0651d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -29,20 +29,20 @@ This topic provides a roadmap for planning and getting started on the Windows De 1. Review requirements, especially hardware requirements for VBS. -2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
      Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment. +2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
      Deployment is simpler if everything is locked down in the same way, but meeting individual departments' needs, and working with a wide variety of devices, may require a more complicated and flexible deployment. 3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create: - How standardized is the hardware?
      This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. - - What software does each department or role need? Should they be able to install and run other departments’ software?
      If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management. + - What software does each department or role need? Should they be able to install and run other departments' software?
      If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management. - Are there departments or roles where unique, restricted software is used?
      If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy. - Is there already a list of accepted applications?
      A list of accepted applications can be used to help create a baseline WDAC policy.
      As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? - In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. + In day-to-day operations, your organization's security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC. @@ -70,7 +70,7 @@ This topic provides a roadmap for planning and getting started on the Windows De ## Known issues -This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). +This section covers known issues with WDAC. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). Test this configuration in your lab before enabling it in production. ### MSI Installations are blocked by WDAC diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg new file mode 100644 index 0000000000..428f96e9b5 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 11045f435f..cdf47d7a4a 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -28,7 +28,7 @@ See [System requirements for Windows Defender Application Guard](https://docs.mi ## Prepare for Windows Defender Application Guard Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. -**Standalone mode** +### Standalone mode Applies to: - Windows 10 Enterprise edition, version 1709 or higher @@ -36,7 +36,7 @@ Applies to: Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario. -**Enterprise-managed mode** +## Enterprise-managed mode Applies to: - Windows 10 Enterprise edition, version 1709 or higher @@ -47,9 +47,11 @@ The following diagram shows the flow between the host PC and the isolated contai ![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) ## Install Application Guard -Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. -**To install by using the Control Panel** +Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +### To install by using the Control Panel + 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png) @@ -58,12 +60,11 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. -**To install by using PowerShell** +### To install by using PowerShell >[!NOTE] >Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. - 1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. @@ -79,3 +80,46 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. +### To install by using Intune + +> [!IMPORTANT] +> Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). + +:::image type="complex" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Endpoint protection profile"::: + +:::image-end::: + +1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. + +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
      + + a. In the **Platform** list, select **Windows 10 and later**. + + b. In the **Profile** list, select **Endpoint protection**. + + c. Choose **Create**. + +4. Specify the following settings for the profile: + + - **Name** and **Description** + + - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**. + + - In the **Application Guard** list, choose **Enabled for Edge**. + + - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings. + +5. Choose **OK**, and then choose **OK** again. + +6. Review your settings, and then choose **Create**. + +7. Choose **Assignments**, and then do the following: + + a. On the **Include** tab, in the **Assign to** list, choose an option. + + b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. + + c. Click **Save**. + +After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. + diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 6f9c6ff4ff..a5eebdf2a2 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/15/2019 ms.reviewer: manager: dansimp ms.custom: asr @@ -28,9 +27,9 @@ We've come up with a list of scenarios that you can use to test hardware-based i You can see how an employee would use standalone mode with Application Guard. -**To test Application Guard in Standalone mode** +### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. @@ -84,11 +83,11 @@ Before you can use Application Guard in enterprise mode, you must install Window 6. Start Microsoft Edge and type www.microsoft.com. - After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) -7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. +7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. @@ -109,7 +108,7 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** -- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 #### Copy and paste options @@ -169,10 +168,10 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

      If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

      **To reset the container, follow these steps:**
      1. Open a command-line program and navigate to Windows/System32.
      2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

      If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

      **To reset the container, follow these steps:**
      1. Open a command-line program and navigate to Windows/System32.
      2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. **Applies to:** -- Windows 10 Enterpise edition, version 1803 +- Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 #### Download options @@ -202,7 +201,7 @@ You have the option to change each of these settings to work with your enterpris 4. Assess the visual experience and battery performance. **Applies to:** -- Windows 10 Enterpise edition, version 1809 +- Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 #### File trust options diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png new file mode 100644 index 0000000000..daa96d291d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png differ diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 0dabbdb3b1..150df52cc5 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

      This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

      Important: Using a trustworthy browser helps ensure that these protections work as expected. +This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

      This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

      Important: Using a trustworthy browser helps ensure that these protections work as expected.

      Windows 10, version 1703:
      Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

      Windows 10, Version 1607 and earlier:
      Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index b9d400165d..176974ae38 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -21,12 +21,13 @@ manager: dansimp - Windows 10 - Windows 10 Mobile +- Microsoft Edge -Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files. +Windows Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. **Windows Defender SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution. +- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. - Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious. @@ -36,16 +37,13 @@ Windows Defender SmartScreen protects against phishing or malware websites, and - Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution. - >[!NOTE] - >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. - ## Benefits of Windows Defender SmartScreen Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: -- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) +- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) -- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. +- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. - **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. @@ -53,14 +51,14 @@ Windows Defender SmartScreen provide an early warning system against websites th - **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). -- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). > [!IMPORTANT] > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. ## Viewing Windows Defender SmartScreen anti-phishing events -When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). +When Windows Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). ## Viewing Windows event logs for Windows Defender SmartScreen Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. @@ -82,8 +80,5 @@ EventID | Description 1002 | User Decision Windows Defender SmartScreen Event ## Related topics -- [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - -- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - [Threat protection](../index.md) - [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index bdbd3df95e..1bdb879cd4 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -19,60 +19,65 @@ ms.author: macapara **Applies to:** - Windows 10, version 1703 - Windows 10 Mobile +- Microsoft Edge -Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. +Windows Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. -## How employees can use Windows Security to set up Windows Defender SmartScreen -Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. +## How users can use Windows Security to set up Windows Defender SmartScreen +Starting with Windows 10, version 1703, users can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless and administrator has used Group Policy or Microsoft Intune to prevent it. >[!NOTE] >If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. **To use Windows Security to set up Windows Defender SmartScreen on a device** -1. Open the Windows Security app, and then click **App & browser control**. +1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**. -2. In the **App & browser control** screen, choose from the following options: +2. In the **Reputation-based protection** screen, choose from the following options: - In the **Check apps and files** area: - - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. - - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. + - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - In the **Windows Defender SmartScreen for Microsoft Edge** area: - - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. - - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. + - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. + - In the **Potentially unwanted app blocking** area: + + - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria#potentially-unwanted-application-pua). + - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device. + + - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium). + + - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps. - In the **Windows Defender SmartScreen from Microsoft Store apps** area: - - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue. + - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control.png) + ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) -## How Windows Defender SmartScreen works when an employee tries to run an app -Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. +## How Windows Defender SmartScreen works when a user tries to run an app +Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. -By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). +By default, users can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). -## How employees can report websites as safe or unsafe -You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. +## How users can report websites as safe or unsafe +Windows Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. **To report a website as safe from the warning message** - On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. **To report a website as unsafe from Microsoft Edge** -- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. +- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. **To report a website as unsafe from Internet Explorer 11** -- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. +- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. ## Related topics - [Threat protection](../index.md)