deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 23:33:35 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into threat-simulator

Browse Source
This commit is contained in:
Joey Caparas
2020-05-19 13:55:44 -07:00
parent f4501d4a98 1d7a00e11e
commit 82d06d30eb
626 changed files with 10761 additions and 10121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -1345,7 +1345,7 @@ This security group has not changed since Windows Server 2008.
Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.
However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.
However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
For information, see [DNS Record Ownership and the DnsUpdateProxy Group](https://technet.microsoft.com/library/dd334715.aspx).
@ -1365,7 +1365,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-1103</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-&lt;variable RID&gt;</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -1406,7 +1406,7 @@ This security group has not changed since Windows Server 2008.
### <a href="" id="bkmk-dnsadmins"></a>DnsAdmins
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
For more information about security and DNS, see [DNSSEC in Windows Server 2012](https://technet.microsoft.com/library/dn593694(v=ws.11).aspx).
@ -1426,7 +1426,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-1102</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-&lt;variable RID&gt;</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>

2
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -1,6 +1,6 @@
---
title: Local Accounts (Windows 10)
description: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

2
windows/security/identity-protection/credential-guard/additional-mitigations.md
View File

@ -18,7 +18,7 @@ ms.reviewer:
# Additional mitigations
Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
## Restricting domain users to specific domain-joined devices

8
windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
View File

@ -58,7 +58,7 @@ When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS AP
The following issue affects Cisco AnyConnect Secure Mobility Client:
- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
- [Blue screen on Windows 10 computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
*Registration required to access this article.
@ -91,16 +91,16 @@ See the following article on Citrix support for Secure Boot:
Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
- For Windows Defender Credential Guard on Windows 10 with McAfee Encryption products, see:
[Support for Windows Defender Device Guard and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
[Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- For Windows Defender Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
[Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Windows Defender Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
[Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Windows Defender Credential Guard on Windows 10 with VMWare Workstation
[Windows 10 host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- For Windows Defender Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
[ThinkPad support for Windows Defender Device Guard and Windows Defender Credential Guard in Microsoft Windows 10 ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
[ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows 10 ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- For Windows Defender Credential Guard on Windows 10 with Symantec Endpoint Protection
[Windows 10 with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)

31
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -24,7 +24,7 @@ ms.reviewer:
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
@ -36,10 +36,11 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details.
![Windows Defender Credential Guard Group Policy setting](images/credguard-gp.png)
![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png)
5. Close the Group Policy Management Console.
6. Close the Group Policy Management Console.
To enforce processing of the group policy, you can run ```gpupdate /force```.
@ -85,7 +86,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic
```
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```
NOTE: In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
> [!NOTE]
> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
> [!TIP]
> You can also add these features to an online image by using either DISM or Configuration Manager.
@ -111,15 +113,15 @@ You can do this by using either the Control Panel or the Deployment Image Servic
<span id="hardware-readiness-tool"/>
### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool.ps1 -Enable -AutoReboot
```
> [!IMPORTANT]
> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
### Review Windows Defender Credential Guard performance
@ -136,13 +138,13 @@ You can view System Information to check that Windows Defender Credential Guard
![System Information](images/credguard-msinfo32.png)
You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool_v3.6.ps1 -Ready
```
> [!IMPORTANT]
> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
> [!NOTE]
@ -207,19 +209,20 @@ To disable Windows Defender Credential Guard, you can use the following set of p
> [!NOTE]
> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
).
<span id="turn-off-with-hardware-readiness-tool"/>
#### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
#### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
> [!IMPORTANT]
> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
#### Disable Windows Defender Credential Guard for a virtual machine
@ -232,5 +235,3 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true

4
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -87,7 +87,7 @@ The following tables describe baseline protections, plus protections for improve
> [!NOTE]
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
>
> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> If you are an OEM, see [PC OEM requirements for Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
### Baseline protections
@ -98,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br>[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.</p></blockquote> |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. </p></blockquote> |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.

2
windows/security/identity-protection/credential-guard/credential-guard.md
View File

@ -29,7 +29,7 @@ By enabling Windows Defender Credential Guard, the following features and soluti
- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.
 
## Related topics

BIN
windows/security/identity-protection/credential-guard/images/credguard-gp-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 432 KiB

3
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -47,7 +47,8 @@ Windows Hello provides many benefits, including:
## Where is Windows Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
> [!NOTE]
>Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
## Has Microsoft set any device requirements for Windows Hello?
We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:

11
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -45,7 +45,7 @@ The statement "PIN is stronger than Password" is not directed at the strength of
The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
## Can I use a convenience PIN with Azure AD?
It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises only Domain Joined users and local account users.
It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.
## Can I use an external camera when my laptop is closed or docked?
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
@ -64,11 +64,11 @@ The user experience for Windows Hello for Business occurs after user sign-in, af
[Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience)
## What happens when my user forgets their PIN?
If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
## What URLs do I need to allow for a hybrid deployment?
Communicating with Azure Active Directory uses the following URLs:
@ -88,11 +88,12 @@ Windows Hello for Business has two types of PIN reset: non-destructive and destr
Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
## Which is better or more secure: Key trust or Certificate trust?
The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware backed, two-factor credential. The difference between the two trust types are:
The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are:
- Required domain controllers
- Issuing end entity certificates
The **key trust** model authenticates to Active Directory using a raw key. Windows Server 2016 domain controllers enables this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you do not need to issue certificates to your end users (domain controller certificates are still needed).
The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority.
## Do I need Windows Server 2016 domain controllers?
@ -102,7 +103,7 @@ There are many deployment options from which to choose. Some of those options re
Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
## Is Windows Hello for Business multifactor authentication?
Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
## What are the biometric requirements for Windows Hello for Business?
Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.

2
windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
View File

@ -1,6 +1,6 @@
---
title: Conditional Access
description: Learn more about conditional access in Azure Active Directory.
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: w10
ms.mktglfcycl: deploy

26
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -43,18 +43,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
4. After you log in, click **Accept** to give consent for the PIN reset client to access your account.
3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
> [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
>[!NOTE]
>After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant.
### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
@ -70,8 +72,8 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
#### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.</br>
1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account.
2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.</br>
```
dsregcmd /status | findstr -snip "tenantid"
@ -86,9 +88,9 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
3. In the device configuration profile, click **Assignments**.
1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.
2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
3. In the device configuration profile, select **Assignments**.
4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
## On-premises Deployments

6
windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
View File

@ -63,11 +63,11 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
| Phase | Description |
| :----: | :----------- |
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.|
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in.|
|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
|C | For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate. The task write the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP.
|D |The computer cannot authenticate to Azure DRS until a device object representing the computer that includes the certificate on the userCertificate attribute is created in Azure Active Directory. Azure AD Connect detects an attribute change. On the next synchronization cycle, Azure AD Connect sends the userCertificate, object GUID, and computer SID to Azure DRS. Azure DRS uses the attribute information to create a device object in Azure Active Directory.|
|E | The Automatic Device Join task triggers with each user sign-in and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.|
|E | The Automatic Device Join task triggers with each user sign-in or every hour, and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.|
|F | The task creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|
|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
@ -78,7 +78,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
| Phase | Description |
| :----: | :----------- |
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.|
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in. |
|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task.
|D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|

9
windows/security/identity-protection/hello-for-business/hello-how-it-works.md
View File

@ -18,16 +18,23 @@ ms.reviewer:
# How Windows Hello for Business works
**Applies to**
- Windows 10
Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
## Technical Deep Dive
Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
- [Technology and Terminology](hello-how-it-works-technology.md)
- [Device Registration](hello-how-it-works-device-registration.md)
- [Provisioning](hello-how-it-works-provisioning.md)

1
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -33,6 +33,7 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing
- Certificate Revocation List (CRL) Distribution Point (CDP)
- 2016 Domain Controllers
- Domain Controller certificate
- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution.
### Azure Active Directory Connect synchronization
Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect).

36
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -644,28 +644,28 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Select **Device Configuration**, and then click **Profiles**.
4. Select **Create Profile**.
![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png)
5. Next to **Name**, type **WHFB Certificate Enrollment**.
6. Next to **Description**, provide a description meaningful for your environment.
7. Select **Windows 10 and later** from the **Platform** list.
8. Select **SCEP certificate** from the **Profile** list.
![WHFB Scep Profile Blade](images/aadjcert/intunewhfbscepprofile-00.png)
9. The **SCEP Certificate** blade should open. Configure **Certificate validity period** to match your organization.
5. Select **Windows 10 and later** from the **Platform** list.
6. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
8. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
9. Select **User** as a certificate type.
10. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT]
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Select **Custom** from the **Subject name format** list.
12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
13. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
14. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
15. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
12. Select **Custom** from the **Subject name format** list.
13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png)
16. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
17. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png)
18. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
19. Click **OK**.
20. Click **Create**.
19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
20. Click **Next**.
21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -1,6 +1,6 @@
---
title: Windows Hello for Business Key Trust New Installation
description: Learn how to perform a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations.
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -66,7 +66,7 @@ Key trust deployments do not need client issued certificates for on-premises aut
The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -80,8 +80,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
>[!NOTE]
>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
> [!NOTE]
> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
### Publish Certificate Templates to a Certificate Authority

197
windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
View File

@ -15,40 +15,42 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 10/18/2017
ms.date: 4/16/2017
---
# Manage Windows Hello for Business in your organization
**Applies to**
- Windows 10
- Windows 10
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT]
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
>
>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>
>Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
## Group Policy settings for Windows Hello for Business
The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
> [!NOTE]
> Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **PIN Complexity**.
<table>
<tr>
<th colspan="2">Policy</th>
<th>Scope</th>
<th>Options</th>
</tr>
<tr>
<td>Use Windows Hello for Business</td>
<td></td>
<td>Computer or user</td>
<td>
<p><b>Not configured</b>: Users can provision Windows Hello for Business, which encrypts their domain password.</p>
<p><b>Not configured</b>: Device does not provision Windows Hello for Business for any user.</p>
<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
</td>
@ -56,15 +58,41 @@ The following table lists the Group Policy settings that you can configure for W
<tr>
<td>Use a hardware security device</td>
<td></td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM.</p>
<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.</p>
<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
</td>
</tr>
<tr>
<td>Use certificate for on-premises authentication</td>
<td></td>
<td>Computer or user</td>
<td>
<p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.</p>
<p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.</p>
<p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.</p>
</td>
</tr>
<td>Use PIN recovery</td>
<td></td>
<td>Computer</td>
<td>
<p>Added in Windows 10, version 1703</p>
<p><b>Not configured</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
<p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.</p>
<p><b>Disabled</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
<p>
For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).
</p>
</td>
</tr>
<tr>
<td>Use biometrics</td>
<td></td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN.</p>
<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.</p>
@ -74,6 +102,7 @@ The following table lists the Group Policy settings that you can configure for W
<tr>
<td rowspan="8">PIN Complexity</td>
<td>Require digits</td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: Users must include a digit in their PIN.</p>
<p><b>Enabled</b>: Users must include a digit in their PIN.</p>
@ -82,6 +111,7 @@ The following table lists the Group Policy settings that you can configure for W
</tr>
<tr>
<td>Require lowercase letters</td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: Users cannot use lowercase letters in their PIN.</p>
<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.</p>
@ -90,6 +120,7 @@ The following table lists the Group Policy settings that you can configure for W
</tr>
<tr>
<td>Maximum PIN length</td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: PIN length must be less than or equal to 127.</p>
<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.</p>
@ -98,6 +129,7 @@ The following table lists the Group Policy settings that you can configure for W
</tr>
<tr>
<td>Minimum PIN length</td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: PIN length must be greater than or equal to 4.</p>
<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.</p>
@ -106,6 +138,7 @@ The following table lists the Group Policy settings that you can configure for W
</tr>
<tr>
<td>Expiration</td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: PIN does not expire.</p>
<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.</p>
@ -114,6 +147,7 @@ The following table lists the Group Policy settings that you can configure for W
</tr>
<tr>
<td>History</td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: Previous PINs are not stored.</p>
<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.</p>
@ -124,6 +158,7 @@ The following table lists the Group Policy settings that you can configure for W
</tr>
<tr>
<td>Require special characters</td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: Users cannot include a special character in their PIN.</p>
<p><b>Enabled</b>: Users must include at least one special character in their PIN.</p>
@ -132,6 +167,7 @@ The following table lists the Group Policy settings that you can configure for W
</tr>
<tr>
<td>Require uppercase letters</td>
<td>Computer</td>
<td>
<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.</p>
<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.</p>
@ -139,9 +175,9 @@ The following table lists the Group Policy settings that you can configure for W
</td>
</tr>
<tr>
<td>&gt;Phone Sign-in</td>
<td>
<p>Use Phone Sign-in</p>
<td>Phone Sign-in</td>
<td>Use Phone Sign-in</td>
<td>Computer</td>
</td>
<td>
<p>Not currently supported.</p>
@ -154,7 +190,7 @@ The following table lists the Group Policy settings that you can configure for W
The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070).
>[!IMPORTANT]
>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
<table>
<tr>
@ -166,7 +202,7 @@ The following table lists the MDM policy settings that you can configure for Win
<tr>
<td>UsePassportForWork</td>
<td></td>
<td>Device</td>
<td>Device or user</td>
<td>True</td>
<td>
<p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
@ -178,7 +214,7 @@ The following table lists the MDM policy settings that you can configure for Win
<tr>
<td>RequireSecurityDevice</td>
<td></td>
<td>Device</td>
<td>Device or user</td>
<td>False</td>
<td>
<p>True: Windows Hello for Business will only be provisioned using TPM.</p>
@ -186,6 +222,32 @@ The following table lists the MDM policy settings that you can configure for Win
</td>
</tr>
<tr>
<td>ExcludeSecurityDevice</td>
<td>TPM12</td>
<td>Device</td>
<td>False</td>
<td>
<p>Added in Windows 10, version 1703</p>
<p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.</p>
<p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.</p>
</td>
</tr>
<tr>
<td>EnablePinRecovery</td>
<td></td>
<td>Device or user</td>
<td>False</td>
<td>
<p>Added in Windows 10, version 1703</p>
<p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.</p>
<p>False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
<p>
For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).
</p>
</td>
</tr>
<tr>
<td rowspan="2">Biometrics</td>
<td>
<p>UseBiometrics</p>
@ -216,19 +278,41 @@ The following table lists the MDM policy settings that you can configure for Win
<tr>
<td>Digits </td>
<td>Device or user</td>
<td>2 </td>
<td>1 </td>
<td>
<p>1: Numbers are not allowed. </p>
<p>2: At least one number is required.</p>
<p>0: Digits are allowed. </p>
<p>1: At least one digit is required.</p>
<p>2: Digits are not allowed. </p>
</td>
</tr>
<tr>
<td>Lowercase letters </td>
<td>Device or user</td>
<td>1 </td>
<td>2</td>
<td>
<p>1: Lowercase letters are not allowed. </p>
<p>2: At least one lowercase letter is required.</p>
<p>0: Lowercase letters are allowed. </p>
<p>1: At least one lowercase letter is required.</p>
<p>2: Lowercase letters are not allowed. </p>
</td>
</tr>
<tr>
<td>Special characters</td>
<td>Device or user</td>
<td>2</td>
<td>
<p>0: Special characters are allowed. </p>
<p>1: At least one special character is required. </p>
<p>2: Special characters are not allowed.</p>
</td>
</tr>
<tr>
<td>Uppercase letters</td>
<td>Device or user</td>
<td>2</td>
<td>
<p>0: Uppercase letters are allowed. </p>
<p>1: At least one uppercase letter is required.</p>
<p>2: Uppercase letters are not allowed. </p>
</td>
</tr>
<tr>
@ -252,7 +336,7 @@ The following table lists the MDM policy settings that you can configure for Win
<td>Device or user</td>
<td>0</td>
<td>
<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the users PIN will never expire.
<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
</p>
</td>
</tr>
@ -261,29 +345,11 @@ The following table lists the MDM policy settings that you can configure for Win
<td>Device or user</td>
<td>0</td>
<td>
<p>Integer value that specifies the number of past PINs that can be associated to a user account that cant be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
</p>
</td>
</tr>
<tr>
<td>Special characters</td>
<td>Device or user</td>
<td>1</td>
<td>
<p>1: Special characters are not allowed. </p>
<p>2: At least one special character is required.</p>
</td>
</tr>
<tr>
<td>Uppercase letters</td>
<td>Device or user</td>
<td>1</td>
<td>
<p>1: Uppercase letters are not allowed </p>
<p>2: At least one uppercase letter is required</p>
</td>
</tr>
<tr>
<td>Remote</td>
<td>
<p>UseRemotePassport</p>
@ -297,20 +363,53 @@ The following table lists the MDM policy settings that you can configure for Win
</table>
>[!NOTE]
> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
## Policy conflicts from multiple policy sources
Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source.
Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis.
>[!NOTE]
> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
><b>Examples</b>
>
>The following are configured using computer Group Policy:
>
>- Use Windows Hello for Business - Enabled
>- User certificate for on-premises authentication - Enabled
>- Require digits - Enabled
>- Minimum PIN length - 6
>
>The following are configured using device MDM Policy:
>
>- UsePassportForWork - Disabled
>- UseCertificateForOnPremAuth - Disabled
>- MinimumPINLength - 8
>- Digits - 1
>- LowercaseLetters - 1
>- SpecialCharacters - 1
>
>Enforced policy set:
>
>- Use Windows Hello for Business - Enabled
>- Use certificate for on-premises authentication - Enabled
>- Require digits - Enabled
>- Minimum PIN length - 6d
## How to use Windows Hello for Business with Azure Active Directory
There are three scenarios for using Windows Hello for Business in Azure ADonly organizations:
There are three scenarios for using Windows Hello for Business in Azure ADonly organizations:
- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenants directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join wont be enabled unless and until the organizations administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
- **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
If you want to use Windows Hello for Business with certificates, youll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
If you want to use Windows Hello for Business with certificates, you'll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
## Related topics

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -329,7 +329,7 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri
If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies do.
Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) do.
If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.

19
windows/security/identity-protection/hello-for-business/hello-videos.md
View File

@ -24,14 +24,33 @@ ms.reviewer:
## Overview of Windows Hello for Business and Features
Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
## Why PIN is more secure than a password
Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
## Microsoft's passwordless strategy
Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
## Windows Hello for Business Provisioning
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
## Windows Hello for Business Authentication
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
## Windows Hello for Business user enrollment experience
The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.

13
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -21,13 +21,18 @@ ms.date: 10/23/2017
# Why a PIN is better than a password
**Applies to**
- Windows 10
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
## PIN is tied to the device
One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
@ -44,7 +49,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials cant be stolen in cases where the identity provider or websites the user accesses have been compromised.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
@ -54,10 +59,11 @@ The Windows Hello for Business PIN is subject to the same set of IT management p
## What if someone steals the laptop or phone?
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the users biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
**Configure BitLocker without TPM**
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
**Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
@ -72,7 +78,8 @@ You can provide additional protection for laptops that don't have TPM by enablin
2. Set the number of invalid logon attempts to allow, and then click OK.
## Why do you need a PIN to use biometrics?
Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you cant use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.

9
windows/security/identity-protection/remote-credential-guard.md
View File

@ -143,13 +143,14 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
3. Under **Use the following restricted mode**:
- If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
- If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
> **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
> [!NOTE]
> Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
- If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
- If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
- If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
4. Click **OK**.

2
windows/security/identity-protection/vpn/vpn-connection-type.md
View File

@ -1,6 +1,6 @@
---
title: VPN connection types (Windows 10)
description: tbd
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

18
windows/security/identity-protection/vpn/vpn-office-365-optimization.md
View File

@ -239,12 +239,12 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
# Extract the Profile XML from the ps1 file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
$regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with the optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
[xml]$VPNprofilexml="<VPNPROFILE>"+$xmlbody+"</VPNPROFILE>"
[xml]$VPNprofilexml="<VPNProfile>"+$xmlbody+"</VPNProfile>"
# Loop through each address found in VPNPROFILE XML section #
foreach ($Route in $VPNprofilexml.VPNProfile.Route)
@ -349,7 +349,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
$In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
# Extract the Profile XML from the XML file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
$regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
@ -367,7 +367,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
# In VPN list only #
$In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_}
[array]$Inpfile = get-content $VPNprofilefile
[System.Collections.ArrayList]$Inpfile = get-content $VPNprofilefile
if ($In_Opt_Only.Count -gt 0 )
{
@ -377,10 +377,10 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
{
# Add the missing IP address(es) #
$IPInfo=$NewIP.Split("/")
$inspoint = $Inpfile[0].IndexOf("</VPNProfile")
$routes += "<Route>"+"<Address>"+$IPInfo[0].Trim()+"</Address>"+"<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"+"<ExclusionRoute>true</ExclusionRoute>"+"</Route>"
$routes += "<Route>`n"+"`t<Address>"+$IPInfo[0].Trim()+"</Address>`n"+"`t<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>`n"+"`t<ExclusionRoute>true</ExclusionRoute>`n"+"</Route>`n"
}
$Inpfile = $Inpfile[0].Insert($inspoint,$routes)
$inspoint = $Inpfile.IndexOf("</VPNProfile>")
$Inpfile.Insert($inspoint,$routes)
# Update filename and write new XML file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"
@ -595,7 +595,7 @@ $ProfileXML = '<VPNProfile>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Proxy>
<AutoConfigUrl>http://webproxy.corp.contsoso.com/proxy.pac</AutoConfigUrl>
<AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl>
</Proxy>
</VPNProfile>'
@ -672,5 +672,5 @@ An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/secu
>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace.
```xml
<VPNProfile><RememberCredentials>true</RememberCredentials><DnsSuffix>corp.contoso.com</DnsSuffix><AlwaysOn>true</AlwaysOn><TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection><NativeProfile><Servers>edge1.contoso.com</Servers><RoutingPolicyType>ForceTunnel</RoutingPolicyType><NativeProtocolType>IKEv2</NativeProtocolType><Authentication><MachineMethod>Certificate</MachineMethod></Authentication></NativeProfile><Route><Address>13.107.6.152</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.18.10</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.128.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>23.103.160.0</Address><PrefixSize>20</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.96.0.0</Address><PrefixSize>13</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.104.0.0</Address><PrefixSize>15</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.96.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>131.253.33.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>132.245.0.0</Address><PrefixSize>16</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.32.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>191.234.140.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>204.79.197.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.136.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.108.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.104.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>104.146.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.40.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.60.1</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.64.0</Address><PrefixSize>18</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.112.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.120.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Proxy><AutoConfigUrl>http://webproxy.corp.contsoso.com/proxy.pac</AutoConfigUrl></Proxy></VPNProfile>
<VPNProfile><RememberCredentials>true</RememberCredentials><DnsSuffix>corp.contoso.com</DnsSuffix><AlwaysOn>true</AlwaysOn><TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection><NativeProfile><Servers>edge1.contoso.com</Servers><RoutingPolicyType>ForceTunnel</RoutingPolicyType><NativeProtocolType>IKEv2</NativeProtocolType><Authentication><MachineMethod>Certificate</MachineMethod></Authentication></NativeProfile><Route><Address>13.107.6.152</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.18.10</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.128.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>23.103.160.0</Address><PrefixSize>20</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.96.0.0</Address><PrefixSize>13</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.104.0.0</Address><PrefixSize>15</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.96.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>131.253.33.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>132.245.0.0</Address><PrefixSize>16</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.32.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>191.234.140.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>204.79.197.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.136.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.108.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.104.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>104.146.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.40.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.60.1</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.64.0</Address><PrefixSize>18</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.112.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.120.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Proxy><AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl></Proxy></VPNProfile>
```

41
windows/security/identity-protection/vpn/vpn-security-features.md
View File

@ -16,8 +16,8 @@ ms.author: dansimp
# VPN security features
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows 10 Mobile
## LockDown VPN
@ -29,53 +29,52 @@ A VPN profile configured with LockDown secures the device to only allow network
- The user cannot delete or modify the VPN profile.
- The VPN LockDown profile uses forced tunnel connection.
- If the VPN connection is not available, outbound network traffic is blocked.
- Only one VPN LockDown profile is allowed on a device.
- Only one VPN LockDown profile is allowed on a device.
>[!NOTE]
>For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
> [!NOTE]
> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
Deploy this feature with caution, as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
## Windows Information Protection (WIP) integration with VPN
Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
- Core functionality: File encryption and file access blocking
- UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
- WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN
- Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app.
The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app.
Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
[Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
## Traffic filters
## Traffic Filters
Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins to effectively add interface specific firewall rules on the VPN Interface.There are two types of Traffic Filter rules:
Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins can use Traffic Filters to effectively add interface specific firewall rules on the VPN Interface. There are two types of Traffic Filter rules:
- App-based rules. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
- App-based rules. With app-based rules, a list of applications can be marked to allow only traffic originating from these apps to go over the VPN interface.
- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified to allow only traffic matching these rules to go over the VPN interface.
There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level.
There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level.
For example, an admin could define rules that specify:
For example, an admin could define rules that specify:
- The Contoso HR App must be allowed to go through the VPN and only access port 4545.
- The Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
- All other apps on the device should be able to access only ports 80 or 443.
- The Contoso HR App must be allowed to go through the VPN and only access port 4545.
- The Contoso finance apps are allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
- All other apps on the device should be able to access only ports 80 or 443.
## Configure traffic filters
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) for XML configuration.
The following image shows the interface to configure traffic rules in a VPN Profile configuration policy using Microsoft Intune.
The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune.
![Add a traffic rule](images/vpn-traffic-rules.png)

4
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -80,7 +80,9 @@ The server side configuration to enable Network Unlock also requires provisionin
1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration.
2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
3. The client computer broadcasts a vendor-specific DHCP request that contains:
1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
2. An AES-256 session key for the reply.
4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
5. The provider decrypts it with the WDS servers BitLocker Network Unlock certificate RSA private key.
6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key.

2
windows/security/information-protection/tpm/tpm-recommendations.md
View File

@ -123,7 +123,7 @@ The following table defines which Windows features require TPM support.
TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
Virtual Smart Card | Yes | Yes | Yes
Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required for white glove and self-deploying scenarios.
Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.

8
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -53,7 +53,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
- Office 365 ProPlus apps, including Word, Excel, PowerPoint, OneNote, and Outlook
- Microsoft 365 Apps for enterprise apps, including Word, Excel, PowerPoint, OneNote, and Outlook
- OneDrive app
@ -71,7 +71,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Messaging
- Microsoft Remote Desktop
- Microsoft Remote Desktop
> [!NOTE]
> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
@ -81,6 +81,8 @@ Microsoft still has apps that are unenlightened, but which have been tested and
- Skype for Business
- Microsoft Teams (build 1.3.00.12058 and later)
## Adding enlightened Microsoft apps to the allowed apps list
> [!NOTE]
@ -99,7 +101,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
| OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
| Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
| Office 365 ProPlus and Office 2019 Professional Plus | Office 365 ProPlus and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.<br>We don't recommend setting up Office by using individual paths or publisher rules. |
| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.<br>We don't recommend setting up Office by using individual paths or publisher rules. |
| Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
| Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
| Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |

122
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -1,122 +0,0 @@
---
title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10)
description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label.
keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/30/2019
ms.reviewer:
---
# How Windows Information Protection (WIP) protects a file that has a sensitivity label
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Windows 10, version 1903
- Windows 10, version 1809
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label.
Microsoft information protection technologies work together as an integrated solution to help enterprises:
- Discover corporate data on endpoint devices
- Classify and label information based on its content and context
- Protect corporate data from unintentionally leaving to non-business environments
- Enable audit reports of user interactions with corporate data on endpoint devices
Microsoft information protection technologies include:
- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP.
- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.
## How WIP protects sensitivity labels with endpoint data loss prevention
You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center.
When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label.
![Endpoint data loss prevention](images/sensitivity-label-endpoint-dlp.png)
Office app users can choose a sensitivity label from a menu and apply it to a file.
![Sensitivity labels](images/sensitivity-labels.png)
WIP enforces default endpoint protection as follows:
- If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label
- If endpoint data loss prevention is not enabled:
- The device enforces work protection to a file downloaded from a work site
- The device does not enforce work protection to a file downloaded from a personal site
Here's an example where a file remains protected without any work context beyond the sensitivity label:
1. Sara creates a PDF file on a Mac and labels it as **Confidential**.
1. She emails the PDF from her Gmail account to Laura.
1. Laura opens the PDF file on her Windows 10 device.
1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site.
1. Windows Defender ATP triggers WIP policy.
1. WIP policy protects the file even though it came from a personal site.
## How WIP protects automatically classified files
The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903.
### Discovery
Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers.
When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type.
![Sensitivity labels](images/sensitivity-label-auto-label.png)
A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on.
You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate.
### Protection
When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined.
If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously.
Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered.
Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise.
![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png)
You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name.
![Sensitive information types](images/sensitive-info-types.png)
>[!NOTE]
>Automatic classification does not change the file itself, but it applies protection based on the label.
>WIP protects a file that contains a sensitive information type as a work file.
>Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied.
## Prerequisites
- Endpoint data loss prevention requires Windows 10, version 1809
- Auto labelling requires Windows 10, version 1903
- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md)

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 33 KiB

54
windows/security/threat-protection/TOC.md
View File

@ -6,6 +6,7 @@
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Preview features](microsoft-defender-atp/preview.md)
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
@ -13,21 +14,17 @@
## [Plan deployment](microsoft-defender-atp/deployment-strategy.md)
## [Deployment guide]()
### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
## [Security administration]()
### [Threat & Vulnerability Management]()
#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)
#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
@ -42,7 +39,6 @@
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
#### [Attack surface reduction controls]()
##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
@ -66,12 +62,9 @@
#### [Device control]()
##### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
##### [Device Guard]()
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
#### [Exploit protection]()
##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
@ -81,7 +74,7 @@
#### [Network protection]()
##### [Protect your network](microsoft-defender-atp/network-protection.md)
##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md)
##### [Enable network protection](microsoft-defender-atp/enable-network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
@ -204,7 +197,8 @@
#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
### [Microsoft Defender Advanced Threat Protection for Mac]()
#### [Overview of Microsoft Defender ATP for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
#### [Deploy]()
@ -229,7 +223,8 @@
#### [Resources](microsoft-defender-atp/mac-resources.md)
### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
### [Microsoft Defender Advanced Threat Protection for Linux]()
#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
#### [What's New](microsoft-defender-atp/linux-whatsnew.md)
#### [Deploy]()
##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
@ -243,6 +238,7 @@
##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
@ -250,14 +246,13 @@
##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
#### [Privacy](microsoft-defender-atp/linux-privacy.md)
#### [Resources](microsoft-defender-atp/linux-resources.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
## [Security operations]()
### [Endpoint detection and response]()
#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
@ -265,6 +260,7 @@
##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
#### [Alerts queue]()
##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
@ -316,10 +312,6 @@
##### [Shadow protection?](windows-defender-antivirus/shadow-protection.md)
#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
#### [Reporting]()
@ -333,13 +325,13 @@
##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
### [Behavioral blocking and containment]()
#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
#### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md)
### [Automated investigation and response]()
### [Automated investigation and response (AIR)]()
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
#### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md)
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
@ -355,7 +347,7 @@
##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
##### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md)
##### [DeviceFileCertificateInfo](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md)
##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
@ -412,7 +404,7 @@
### [Configure portal settings]()
#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
#### [General]()
##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
@ -423,7 +415,7 @@
##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
#### [APIs]()
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
@ -669,7 +661,6 @@
### [How Microsoft identifies malware and PUA](intelligence/criteria.md)
### [Submit files for analysis](intelligence/submission-guide.md)
### [Safety Scanner download](intelligence/safety-scanner-download.md)
### [Industry antivirus tests](intelligence/top-scoring-industry-antivirus-tests.md)
### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md)
#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md)
#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md)
@ -699,9 +690,10 @@
#### [Family options](windows-defender-security-center/wdsc-family-options.md)
### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
#### [Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
### [Microsoft Defender SmartScreen](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
#### [Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md)
#### [Set up and use Microsoft Defender SmartScreen on individual devices](microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md)
### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)
#### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md)

8
windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
View File

@ -2,7 +2,7 @@
title: Audit Other Privilege Use Events (Windows 10)
description: This security policy setting is not used.
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.reviewer:
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
@ -17,8 +17,8 @@ ms.date: 04/19/2017
# Audit Other Privilege Use Events
**Applies to**
- Windows 10
- Windows Server 2016
- Windows 10
- Windows Server 2016
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
@ -31,7 +31,7 @@ This auditing subcategory should not have any events in it, but for some reason
**Events List:**
- [4985](event-4674.md)(S): The state of a transaction has changed.
- [4985](event-4985.md)(S): The state of a transaction has changed.

2
windows/security/threat-protection/auditing/event-1102.md
View File

@ -1,6 +1,6 @@
---
title: 1102(S) The audit log was cleared. (Windows 10)
description: Describes security event 1102(S) The audit log was cleared.
description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S).
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/security/threat-protection/auditing/event-1104.md
View File

@ -1,6 +1,6 @@
---
title: 1104(S) The security log is now full. (Windows 10)
description: Describes security event 1104(S) The security log is now full.
description: This event generates every time Windows security log becomes full and the event log retention method is set to "Do not overwrite events."
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/security/threat-protection/auditing/event-1105.md
View File

@ -1,6 +1,6 @@
---
title: 1105(S) Event log automatic backup. (Windows 10)
description: Describes security event 1105(S) Event log automatic backup.
description: This event generates every time Windows security log becomes full and new event log file was created.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy

13
windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date:
---
# Monitor the use of removable storage devices
@ -28,7 +28,10 @@ If you configure this policy setting, an audit event is generated each time a us
Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored.
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
> [!NOTE]
> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor.
**To configure settings to monitor removable storage devices**
@ -46,7 +49,8 @@ After you configure the settings to monitor removable storage devices, use the f
1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
>**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
> [!NOTE]
> If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
2. Type **gpupdate /force**, and press ENTER.
3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
@ -56,7 +60,8 @@ After you configure the settings to monitor removable storage devices, use the f
Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.
>**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
> [!NOTE]
> We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
### Related resource

18
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -1,6 +1,6 @@
---
title: Enable virtualization-based protection of code integrity
description: This article explains the steps to opt in to using HVCI on Windows devices.
title: Enable virtualization-based protection of code integrity
description: This article explains the steps to opt in to using HVCI on Windows devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@ -16,7 +16,7 @@ ms.reviewer:
# Enable virtualization-based protection of code integrity
**Applies to**
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -25,13 +25,13 @@ Some applications, including device drivers, may be incompatible with HVCI.
This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
>[!NOTE]
>Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance.
> [!NOTE]
> Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance.
## HVCI Features
* HVCI protects modification of the Control Flow Guard (CFG) bitmap.
* HVCI also ensure your other Truslets, like Credential Guard, have a valid certificate.
* HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
## How to turn on HVCI in Windows 10
@ -54,7 +54,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
### Enable HVCI using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
@ -290,9 +290,9 @@ WDAC protects against malware running in the guest virtual machine. It does not
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
```
### Requirements for running HVCI in Hyper-V virtual machines
### Requirements for running HVCI in Hyper-V virtual machines
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.

20
windows/security/threat-protection/index.md
View File

@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: DulceMontemayor
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -19,6 +19,9 @@ ms.topic: conceptual
# Threat Protection
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
>[!TIP]
> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).
<center><h2>Microsoft Defender ATP</center></h2>
<table>
<tr>
@ -41,6 +44,9 @@ ms.topic: conceptual
<a name="tvm"></a>
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
@ -74,11 +80,11 @@ The attack surface reduction set of capabilities provide the first line of defen
**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**<br>
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus)
- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
<a name="edr"></a>

2
windows/security/threat-protection/intelligence/TOC.md
View File

@ -36,8 +36,6 @@
## [Safety Scanner download](safety-scanner-download.md)
## [Industry tests](top-scoring-industry-antivirus-tests.md)
## [Industry collaboration programs](cybersecurity-industry-partners.md)
### [Virus information alliance](virus-information-alliance-criteria.md)

112
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -1,112 +0,0 @@
---
title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK)
ms.reviewer:
description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis.
keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: high
ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
---
# Top scoring in industry tests
Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
## Next generation protection
[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Keep in mind, these tests only provide results for antivirus and do not test for additional security protections.
Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies.
<br><br>
**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)**
### AV-TEST: Protection score of 5.5/6.0 in the latest test
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) <sup>**Latest**</sup>
Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used.
- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/)
- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/)
- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
- March — April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
- January — February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
- November — December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9)
- September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
### AV-Comparatives: Protection rating of 99.6% in the latest test
Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.
- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) <sup>**Latest**</sup>
Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test.
- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
- Business Security Test 2018 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/)
- Business Security Test 2018 (March — June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/)
### SE Labs: AAA award in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.
- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) <sup>**pdf**</sup>
Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats.
- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
- Enterprise Endpoint Protection January — March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
- Enterprise Endpoint Protection October — December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
## Endpoint detection & response
Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
![String of images showing EDR capabilities](./images/MITRE-Microsoft-Defender-ATP.png)
**Read our analysis: [MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)**
### MITRE: Industry-leading optics and detection capabilities
MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics.
- ATT&CK-based evaluation: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)
Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring.
## To what extent are tests representative of protection in the real world?
Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world.
With independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack.
[Learn more about Microsoft Defender ATP](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) and evaluate it in your own network by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), or [enabling Preview features on existing tenants](../microsoft-defender-atp/preview-settings.md).

4
windows/security/threat-protection/mbsa-removal-and-guidance.md
View File

@ -1,6 +1,6 @@
---
title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
keywords: MBSA, security, removal
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,7 +16,7 @@ manager: dansimp
Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
## The Solution
A script can help you with an alternative to MBSAs patch-compliance checking:

45
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -20,6 +20,7 @@ ms.topic: article
# Configure advanced features in Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
@ -30,32 +31,36 @@ Use the following advanced features to get better protected from potentially mal
## Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
Turn on this feature to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
## Live response
When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
Turn on this feature so that users with the appropriate permissions can start a live response session on machines.
For more information on role assignments see, [Create and manage roles](user-roles.md).
For more information about role assignments, see [Create and manage roles](user-roles.md).
## Live response unsigned script execution
Enabling this feature allows you to run unsigned scripts in a live response session.
## Auto-resolve remediated alerts
## Autoresolve remediated alerts
For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you dont want to have alerts auto-resolved, youll need to manually turn off the feature.
For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
>[!TIP]
>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
>[!NOTE]
> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>
>- The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
## Allow or block file
Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
Blocking is only available if your organization fulfills these requirements:
- Uses Windows Defender Antivirus as the active antimalware solution and,
- The cloud-based protection feature is enabled
This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
@ -69,24 +74,22 @@ To turn **Allow or block** files on:
1. Select **Save preferences** at the bottom of the page.
Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
After turning on this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
## Custom network indicators
Enabling this feature allows you to create indicators for IP addresses, domains, or URLs which determine whether they will be allowed or blocked based on your custom indicator list.
Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list.
To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
For more information, see [Manage indicators](manage-indicators.md).
>[!NOTE]
>Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data.
## Show user details
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
- Security operations dashboard
- Alert queue
@ -110,25 +113,25 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct
## Microsoft Secure Score
Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning this feature on gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
### Enable the Microsoft Defender ATP integration from the Azure ATP portal
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
2. Click **Create your instance**.
3. Toggle the Integration setting to **On** and click **Save**.
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
After completing the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows machines.
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
@ -137,7 +140,7 @@ To receive contextual machine integration in Office 365 Threat Intelligence, you
## Microsoft Threat Experts
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
>[!NOTE]
>The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
@ -151,11 +154,11 @@ Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud
## Azure Information Protection
Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
## Microsoft Intune connection
Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [enable this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement.
Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement.
>[!IMPORTANT]
>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md).
@ -176,7 +179,7 @@ When you enable Intune integration, Intune will automatically create a classic C
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
## Enable advanced features

12
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md → windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceFileCertificateInfoBeta table in the advanced hunting schema
description: Learn about file signing information in the DeviceFileCertificateInfoBeta table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfoBeta
title: DeviceFileCertificateInfo table in the advanced hunting schema
description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 01/14/2020
---
# DeviceFileCertificateInfoBeta
# DeviceFileCertificateInfo
**Applies to:**
@ -26,9 +26,7 @@ ms.date: 01/14/2020
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceFileCertificateInfoBeta` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.
The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -47,7 +47,7 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| **[DeviceFileCertificateInfoBeta](advanced-hunting-devicefilecertificateinfobeta-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -52,6 +52,9 @@ You can save a new or existing query so that it is only accessible to you or sha
2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
## Create a direct link to a query
To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select **Share link**.
## Access queries in the GitHub repository
Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).

38
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -21,11 +21,12 @@ ms.date: 03/27/2020
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
>[!NOTE]
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
@ -33,6 +34,7 @@ The **Alerts queue** shows a list of alerts that were flagged from machines in y
There are several options you can choose from to customize the alerts queue view.
On the top navigation you can:
- Select grouped view or list view
- Customize columns to add or remove columns
- Select the items to show per page
@ -42,32 +44,36 @@ On the top navigation you can:
![Image of alerts queue](images/alerts-queue-list.png)
## Sort, filter, and group the alerts queue
You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
### Severity
Alert severity | Description
:---|:---
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on machines. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
Low </br>(Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
Low </br>(Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
#### Understanding alert severity
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected.
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
So, for example:
- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
- Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
#### Understanding alert categories
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.
The table below lists the current categories and how they generally map to previous categories.
@ -92,39 +98,43 @@ The table below lists the current categories and how they generally map to previ
### Status
You can choose to limit the list of alerts based on their status.
### Investigation state
Corresponds to the automated investigation state.
### Category
You can choose to filter the queue to display specific types of malicious activity.
### Assigned to
You can choose between showing alerts that are assigned to you or automation.
### Detection source
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service.
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
>[!NOTE]
>The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
### OS platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
### Machine group
If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups.
If you have specific machine groups that you're interested in checking, you can select the groups to limit the alerts queue view.
### Associated threat
Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md).
## Related topics
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)

19
windows/security/threat-protection/microsoft-defender-atp/alerts.md
View File

@ -12,7 +12,7 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: article
---
@ -20,9 +20,10 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## Methods
Method |Return Type |Description
:---|:---|:---
[Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
@ -37,7 +38,8 @@ Method |Return Type |Description
## Properties
Property | Type | Description
Property | Type | Description
:---|:---|:---
id | String | Alert ID.
title | String | Alert title.
@ -45,15 +47,15 @@ description | String | Alert description.
alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created.
lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
lastUpdateTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert.
investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert.
incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert.
investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert.
investigationState | Nullable Enum | The current state of the [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
assignedTo | String | Owner of the alert.
severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
category| String | Category of the alert.
detectionSource | String | Detection source.
@ -61,7 +63,6 @@ threatFamilyName | String | Threat family.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
### Response example for getting single alert:
```
@ -73,7 +74,7 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"investigationState": "Running",
"investigationState": "Running",
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",

22
windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
View File

@ -1,7 +1,7 @@
---
title: API Explorer in Microsoft Defender ATP
ms.reviewer:
description: Use the API Explorer to construct and perform API queries, test and send requests for any available API
description: Use the API Explorer to construct and do API queries, test, and send requests for any available API
keywords: api, explorer, send, request, get, post,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -19,14 +19,16 @@ ms.topic: conceptual
---
# API Explorer
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.
The API Explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. You can also use the API Explorer to perform actions or find data that might not yet be available through the user interface.
The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Microsoft Defender ATP API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.
The tool is useful during app development because it allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug information.
@ -34,26 +36,30 @@ With the API Explorer, you can:
- Run requests for any method and see responses in real-time
- Quickly browse through the API samples and learn what parameters they support
- Make API calls with ease; no need to authenticate beyond the management portal sign-in
- Make API calls with ease; no need to authenticate beyond the management portal sign in
## Access API Explorer
From the left navigation menu, select **Partners & APIs** > **API Explorer**.
## Supported APIs
## Supported APIs
API Explorer supports all the APIs offered by Microsoft Defender ATP.
The list of supported APIs is available in the [APIs documentation](apis-intro.md).
## Get started with the API Explorer
1. In the left pane, there is a list of sample requests that you can use.
2. Follow the links and click **Run query**.
Some of the samples may require specifying a parameter in the URL, for example, {machine- id}.
Some of the samples may require specifying a parameter in the URL, for example, {machine- ID}.
## FAQ
**Do I need to have an API token to use the API Explorer?** <br>
Credentials to access an API are not needed since the API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request.
Credentials to access an API aren't needed. The API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request.
The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.
Specific API requests are limited based on your RBAC privileges; for example, a request to "Submit indicator" is limited to the security admin role.
Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.

2
windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender ATP Flow connector
ms.reviewer:
description: Microsoft Defender ATP Flow connector
description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant.
keywords: flow, supported apis, api, Microsoft flow, query, automation
search.product: eADQiWindows 10XVcnh
ms.prod: w10

4
windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender ATP APIs connection to Power BI
ms.reviewer:
description: Create custom reports using Power BI
description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs.
keywords: apis, supported apis, Power BI, reports
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -25,7 +25,7 @@ ms.topic: article
In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts.
## Connect Power BI to Advanced Hunting API

53
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
View File

@ -1,53 +0,0 @@
---
title: Use attack surface reduction rules in Windows 10 Enterprise E3
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.custom: asr
---
# Use attack surface reduction rules in Windows 10 Enterprise E3
**Applies to:**
- Windows 10 Enterprise E3
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license.
A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises.
Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
The limited subset of rules that can be used in Windows 10 Enterprise E3 include:
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block JavaScript or VBScript from launching downloaded executable content
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macro
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md).
## Related topics
Topic | Description
---|---
[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file.

197
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -30,9 +30,9 @@ Your attack surface is the total number of places where an attacker could compro
Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
* Launching executable files and scripts that attempt to download or run files
* Running obfuscated or otherwise suspicious scripts
* Performing behaviors that apps don't usually initiate during normal day-to-day work
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work
These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
@ -44,9 +44,11 @@ For more information about configuring attack surface reduction rules, see [Enab
## Attack surface reduction features across Windows versions
You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
You can set attack surface reduction rules for computers running the following versions of Windows:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
@ -77,11 +79,11 @@ You can review the Windows event log to view events generated by attack surface
This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
Event ID | Description
-|-
5007 | Event when settings are changed
1121 | Event when rule fires in Block-mode
1122 | Event when rule fires in Audit-mode
|Event ID | Description |
|---|---|
|5007 | Event when settings are changed |
|1121 | Event when rule fires in Block-mode |
|1122 | Event when rule fires in Audit-mode |
The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
@ -89,38 +91,42 @@ The "engine version" listed for attack surface reduction events in the event log
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
Rule name | GUID | File & folder exclusions
-|-|-
[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported
[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
| Rule name | GUID | File & folder exclusions | Minimum OS supported |
|-----|----|---|---|
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
### Block executable content from email client and webmail
This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
* Executable files (such as .exe, .dll, or .scr)
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
### Block all Office applications from creating child processes
@ -128,27 +134,35 @@ This rule blocks Office apps from creating child processes. This includes Word,
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps launching child processes
Configuration Manager name: Block Office application from creating child processes
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
### Block Office applications from creating executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
Intune name: Office apps/macros creating executable content
SCCM name: Block Office applications from creating executable content
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
### Block Office applications from injecting code into other processes
@ -160,13 +174,17 @@ There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps injecting code into other processes (no exceptions)
Configuration Manager name: Block Office applications from injecting code into other processes
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
### Block JavaScript or VBScript from launching downloaded executable content
@ -177,13 +195,17 @@ Although not common, line-of-business applications sometimes use scripts to down
> [!IMPORTANT]
> File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
### Block execution of potentially obfuscated scripts
@ -191,13 +213,17 @@ This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Obfuscated js/vbs/ps/macro code
Configuration Manager name: Block execution of potentially obfuscated scripts.
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
### Block Win32 API calls from Office macros
@ -205,37 +231,42 @@ This rule prevents VBA macros from calling Win32 APIs.
Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Win32 imports from Office macro code
Configuration Manager name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
* Executable files (such as .exe, .dll, or .scr)
- Executable files (such as .exe, .dll, or .scr)
Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are malicious.
> [!NOTE]
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
> [!IMPORTANT]
> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. <br/><br/> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
### Use advanced protection against ransomware
@ -244,13 +275,17 @@ This rule provides an extra layer of protection against ransomware. It scans exe
> [!NOTE]
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Advanced ransomware protection
Configuration Manager name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
### Block credential stealing from the Windows local security authority subsystem
@ -261,13 +296,17 @@ LSASS authenticates users who log in to a Windows computer. Microsoft Defender C
> [!NOTE]
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Flag credential stealing from the Windows local security authority subsystem
Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
### Block process creations originating from PSExec and WMI commands
@ -276,13 +315,16 @@ This rule blocks processes created through [PsExec](https://docs.microsoft.com/s
> [!WARNING]
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from PSExec and WMI commands
Configuration Manager name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
### Block untrusted and unsigned processes that run from USB
@ -291,13 +333,17 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
* Executable files (such as .exe, .dll, or .scr)
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Untrusted and unsigned processes that run from USB
Configuration Manager name: Block untrusted and unsigned processes that run from USB
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
### Block Office communication application from creating child processes
@ -308,13 +354,16 @@ This protects against social engineering attacks and prevents exploit code from
> [!NOTE]
> This rule applies to Outlook and Outlook.com only.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Office communication products (beta)
Configuration Manager name: Not yet available
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
### Block Adobe Reader from creating child processes
@ -322,13 +371,16 @@ This rule prevents attacks by blocking Adobe Reader from creating additional pro
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Adobe Reader (beta)
Configuration Manager name: Not yet available
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
### Block persistence through WMI event subscription
@ -336,17 +388,22 @@ This rule prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in: Windows 10 1903, Windows Server 1903
This rule was introduced in:
- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Block persistence through WMI event subscription
Configuration Manager name: Not yet available
GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
## Related topics
* [Attack surface reduction FAQ](attack-surface-reduction.md)
* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
- [Attack surface reduction FAQ](attack-surface-reduction.md)
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)

58
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -18,7 +18,9 @@ ms.topic: article
# View details and results of automated investigations
Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)).
During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
@ -27,12 +29,13 @@ Pending and completed [remediation actions](manage-auto-investigation.md#remedia
![Action center page](images/action-center.png)
The action center consists of two main tabs, as described in the following table.
|Tab |Description |
|---------|---------|
|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. <br/><br/>**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). |
|History |Acts as an audit log for all of the following: <br/>- All actions taken by automated investigation and remediation in Microsoft Defender ATP <br/>Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) <br/>- All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone) <br/>- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) |
The action center consists of two main tabs: **Pending actions** and **History**.
- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected).
- **History** Acts as an audit log for all of the following items: <br/>
- Remediation actions that were taken as a result of an automated investigation
- Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone)
- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone)
Use the **Customize columns** menu to select columns that you'd like to show or hide.
@ -58,29 +61,30 @@ On the **Investigations** page, you can view details and use filters to focus on
|---------|---------|
|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
|**Triggering alert** | The alert that initiated the automated investigation |
|**Detection source** |The source of the alert that initiated the automated investigation. |
|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. |
|**Threat** |The category of threat detected during the automated investigation. |
|**Tags** |Filter using manually added tags that capture the context of an automated investigation.|
|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.|
|**Detection source** |The source of the alert that initiated the automated investigation |
|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. |
|**Threat** |The category of threat detected during the automated investigation |
|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
## Automated investigation status
An automated investigation can be have one of the following status values:
An automated investigation can have one of the following status values:
|Status |Description |
|---------|---------|
| No threats found | No malicious entities found during the investigation. |
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Pending action | Remediation actions require review and approval. |
| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. |
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. |
| No threats found | The investigation has finished and no threats were identified. <br/>If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). |
| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. |
| Remediated | The investigation finished and all actions were approved (fully remediated). |
| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. |
| Terminated by system | The investigation stopped. An investigation can stop for several reasons:<br/>- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time. <br/>- There are too many actions in the list.<br/>Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. |
| Failed | At least one investigation analyzer ran into a problem where it could not complete properly. <br/><br/>If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. |
| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete. |
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
## View details about an automated investigation
@ -92,7 +96,7 @@ In this view, you'll see the name of the investigation, when it started and ende
### Investigation graph
The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
A progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
@ -108,7 +112,7 @@ From this view, you can also view and add comments and tags about the investigat
### Alerts
The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
@ -124,7 +128,7 @@ Machines that show the same threat can be added to an ongoing investigation and
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
Clicking on a machine name brings you the machine page.
### Evidence
@ -132,7 +136,7 @@ The **Evidence** tab shows details related to threats associated with this inves
### Entities
The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or had no threats found.
### Log
@ -146,7 +150,7 @@ You can also click on an action to bring up the details pane where you'll see in
### Pending actions
If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image.
![Image of pending actions](images/pending-actions.png)

4
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -30,7 +30,7 @@ The automated investigation feature leverages various inspection algorithms, and
## How the automated investigation starts
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation.
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@ -48,7 +48,7 @@ During and after an automated investigation, you can view details about the inve
|**Alerts**| Shows the alert that started the investigation.|
|**Machines** |Shows where the alert was seen.|
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *Clean*). |
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. |

49
windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Behavioral blocking and containment
description: Learn about behavioral blocking and containment capabilities in Microsoft Defender ATP
keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
author: denisebmsft
ms.author: deniseb
manager: dansimp
ms.reviewer: shwetaj
audience: ITPro
ms.topic: article
ms.prod: w10
ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
ms.collection:
---
# Behavioral blocking and containment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Behavioral blocking and containment overview
Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints.
## Behavioral blocking and containment capabilities
Behavioral blocking and containment capabilities include the following:
- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development.
## Next steps
- [Configure your attack surface reduction rules](attack-surface-reduction.md)
- [Enable EDR in block mode](edr-in-block-mode.md)

1
windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
View File

@ -77,7 +77,6 @@ Not currently available.
## Integrations
Integrations with the following Microsoft products are not currently available:
- Azure Security Center
- Azure Advanced Threat Protection
- Azure Information Protection
- Office 365 Advanced Threat Protection

2
windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
View File

@ -1,6 +1,6 @@
---
title: Configure attack surface reduction
description: Configure attack surface reduction
description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Powershell cmdlets, and Group Policy to configure attack surface reduction.
keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
search.product: eADQiWindows 10XVcnh
search.appverid: met150

55
windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Configure automated investigation and remediation capabilities
description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
**Applies to**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).
## Turn on automated investigation and remediation
1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the navigation pane, choose **Settings**.
3. In the **General** section, select **Advanced features**.
4. Turn on both **Automated Investigation** and **Automatically resolve alerts**.
## Set up device groups
1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**.
2. Select **+ Add machine group**.
3. Create at least one device group, as follows:
- Specify a name and description for the device group.
- In the **Automation level list**, select a level, such as **Full remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
- In the **Members** section, use one or more conditions to identify and include devices.
- On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating.
4. Select **Done** when you're finished setting up your device group.
## Next steps
- [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)
- [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation)
- [Manage indicators for files, IP addresses, URLs, or domains](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
View File

@ -34,7 +34,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
## Before you begin
If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
## Onboard machines using Microsoft Intune

55
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
ms.date: 04/16/2020
---
# Onboard non-persistent virtual desktop infrastructure (VDI) machines
@ -23,7 +23,8 @@ ms.date: 04/24/2018
**Applies to:**
- Virtual desktop infrastructure (VDI) machines
>[!WARNING]
> Micrsosoft Defender ATP currently does not support Windows Virtual Desktop multi-user session.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
@ -80,26 +81,62 @@ The following steps will guide you through onboarding VDI machines and will high
6. Test your solution:
a. Create a pool with one machine.
a. Create a pool with one machine.
b. Logon to machine.
b. Logon to machine.
c. Logoff from machine.
c. Logoff from machine.
d. Logon to machine with another user.
d. Logon to machine with another user.
e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.<br>
e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.<br>
**For multiple entries for each machine**: Check multiple entries in Microsoft Defender Security Center.
7. Click **Machines list** on the Navigation pane.
8. Use the search function by entering the machine name and select **Machine** as search type.
## Updating non-persistent virtual desktop infrastructure (VDI) images
As a best practice, we recommend using offline servicing tools to patch golden/master images.<br>
For example, you can use the below commands to install an update while the image remains offline:
```
DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
```
For more information on DISM commands and offline servicing, please refer to the articles below:
- [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
- [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script).
2. Ensure the sensor is stopped by running the command below in a CMD window:
```
sc query sense
```
3. Service the image as needed.
4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
```
PsExec.exe -s cmd.exe
cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
del *.* /f /s /q
exit
```
5. Re-seal the golden/master image as you normally would.
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

3
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -52,6 +52,9 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass
>[!TIP]
>Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
>[!NOTE]
> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**.
From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either:
- Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.

6
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -70,8 +70,9 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
>[!NOTE]
>Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
> [!NOTE]
> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request.
@ -130,4 +131,3 @@ It is crucial to respond in a timely manner to keep the investigation moving.
## Related topic
- [Microsoft Threat Experts overview](microsoft-threat-experts.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -111,7 +111,7 @@ If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the
Service location | Microsoft.com DNS record
-|-
Common URLs for all locations | ```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```<br>```notify.windows.com```<br> ```settings-win.data.microsoft.com```
Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```<br> ```ctldl.windowsupdate.com``` <br>```www.microsoft.com/pkiops/*```<br>```events.data.microsoft.com```<br>```notify.windows.com```<br> ```settings-win.data.microsoft.com```
European Union | ```eu.vortex-win.data.microsoft.com``` <br> ```eu-v20.events.data.microsoft.com``` <br> ```usseu1northprod.blob.core.windows.net``` <br>```usseu1westprod.blob.core.windows.net``` <br> ```winatp-gw-neu.microsoft.com``` <br> ```winatp-gw-weu.microsoft.com``` <br>```wseu1northprod.blob.core.windows.net``` <br>```wseu1westprod.blob.core.windows.net``` <br>```automatedirstrprdweu.blob.core.windows.net``` <br>```automatedirstrprdneu.blob.core.windows.net```
United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com``` <br>```ussuk1southprod.blob.core.windows.net``` <br>```ussuk1westprod.blob.core.windows.net``` <br>```winatp-gw-uks.microsoft.com``` <br>```winatp-gw-ukw.microsoft.com``` <br>```wsuk1southprod.blob.core.windows.net``` <br>```wsuk1westprod.blob.core.windows.net``` <br>```automatedirstrprduks.blob.core.windows.net``` <br>```automatedirstrprdukw.blob.core.windows.net```
United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.blob.core.windows.net``` <br> ```ussus1westprod.blob.core.windows.net``` <br> ```ussus2eastprod.blob.core.windows.net``` <br> ```ussus2westprod.blob.core.windows.net``` <br> ```ussus3eastprod.blob.core.windows.net``` <br> ```ussus3westprod.blob.core.windows.net``` <br> ```ussus4eastprod.blob.core.windows.net``` <br> ```ussus4westprod.blob.core.windows.net``` <br> ```us-v20.events.data.microsoft.com``` <br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com``` <br> ```wsus1eastprod.blob.core.windows.net``` <br> ```wsus1westprod.blob.core.windows.net``` <br> ```wsus2eastprod.blob.core.windows.net``` <br> ```wsus2westprod.blob.core.windows.net``` <br> ```automatedirstrprdcus.blob.core.windows.net``` <br> ```automatedirstrprdeus.blob.core.windows.net```

118
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -24,73 +24,69 @@ ms.topic: article
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server, 2019 and later
- Windows Server (SAC) version 1803 and later
- Windows Server 2019 and later
- Windows Server 2019 core edition
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.
Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following servers:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server (SAC) version 1803 and later
- Windows Server 2019 and later
- Windows Server 2019 core edition
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
> [!NOTE]
> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services)
## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016
## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
- **Option 1**: Onboard through Azure Security Center
- **Option 2**: Onboard through Microsoft Defender Security Center
### Option 1: Onboard servers through Azure Security Center
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
3. Click **Onboard Servers in Azure Security Center**.
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
### Option 2: Onboard servers through Microsoft Defender Security Center
You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
- For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
- **Option 1**: Onboard through Microsoft Defender Security Center
- **Option 2**: Onboard through Azure Security Center
> [!NOTE]
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
> Microsoft defender ATP standalone server license is required, per node, in order to onboard the server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
- Turn on server monitoring from Microsoft Defender Security Center.
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
### Option 1: Onboard servers through Microsoft Defender Security Center
You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
- For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
- [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
> [!NOTE]
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- Turn on server monitoring from Microsoft Defender Security Center.
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
> [!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
### Configure and update System Center Endpoint Protection clients
> [!IMPORTANT]
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
@ -100,7 +96,7 @@ The following steps are required to enable this integration:
2. Select Windows Server 2012 R2 and 2016 as the operating system.
3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
<span id="server-mma"/>
@ -125,8 +121,19 @@ Once completed, you should see onboarded servers in the portal within an hour.
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
## Windows Server, version 1803 and Windows Server 2019
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
### Option 2: Onboard servers through Azure Security Center
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
3. Click **Onboard Servers in Azure Security Center**.
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition, refer to the supported methods and versions below.
> [!NOTE]
> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
@ -140,42 +147,42 @@ Supported tools include:
For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
2. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly:
a. Set the following registry entry:
1. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Value: 1
b. Run the following PowerShell command to verify that the passive mode was configured:
1. Run the following PowerShell command to verify that the passive mode was configured:
```PowerShell
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
```
```PowerShell
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
```
c. Confirm that a recent event containing the passive mode event is found:
1. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
3. Run the following command to check if Windows Defender AV is installed:
```sc query Windefend```
If the result is The specified service does not exist as an installed service, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
## Integration with Azure Security Center
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
> [!NOTE]
> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
> Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
@ -187,7 +194,7 @@ The following capabilities are included in this integration:
## Offboard servers
You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines.
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines.
For other server versions, you have two options to offboard servers from the service:
- Uninstall the MMA agent
@ -217,11 +224,12 @@ To offboard the server, you can use either of the following methods:
#### Run a PowerShell command to remove the configuration
1. Get your Workspace ID:
a. In the navigation pane, select **Settings** > **Onboarding**.
b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
1. In the navigation pane, select **Settings** > **Onboarding**.
1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:

6
windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
View File

@ -54,8 +54,10 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP detec
3. Select **Windows Defender ATP alerts** under **Local inputs**.
NOTE:
This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
>[!NOTE]
> - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
> - For Splunk Cloud, use [Microsoft Defender ATP Add-on for Splunk](https://splunkbase.splunk.com/app/4959/).
4. Click **New**.

2
windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
View File

@ -1,7 +1,7 @@
---
title: Connected applications in Microsoft Defender ATP
ms.reviewer:
description: View connected partner applications to Microsoft Defender ATP
description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs.
keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile
search.product: eADQiWindows 10XVcnh
search.appverid: met150

3
windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
View File

@ -76,6 +76,9 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
### Use PowerShell to exclude files and folders
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**

5
windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
View File

@ -89,7 +89,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>
> Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
>
> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
>
>
> * **Example 2**
@ -100,8 +100,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>
> Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
>
>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
>CFG will be enabled for *miles.exe*.
> The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
> [!NOTE]
> If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.

19
windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
View File

@ -1,6 +1,6 @@
---
title: Update how long data is stored by MDATP
description: Update data retention settings for Microsoft Defender Advanced Threat Protection (MDATP) by selecting between 30 days to 180 days.
title: Verify data storage location and update data retention settings
description: Verify data storage location and update data retention settings for Microsoft Defender Advanced Threat Protection
keywords: data, storage, settings, retention, update
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -15,9 +15,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/24/2018
---
# Update data retention settings for Microsoft Defender ATP
# Verify data storage location and update data retention settings for Microsoft Defender ATP
**Applies to:**
@ -25,10 +24,18 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After onboarding, you might want to update the data retention settings.
During the onboarding process, a wizard takes you through the data storage and retention settings of Microsoft Defender ATP.
After completing the onboarding, you can verify your selection in the data retention settings page.
## Verify data storage location
During the [Set up phase](production-deployment.md), you would have selected the location to store your data.
You can verify the data location by navigating to **Settings** > **Data retention**.
## Update data retention settings
1. In the navigation pane, select **Settings** > **Data retention**.

15
windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
View File

@ -46,15 +46,18 @@ Microsoft does not use your data for advertising.
## Data protection and encryption
The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview).
In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
## Do I have the flexibility to select where to store my data?
## Data storage location
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States, or dedicated Azure Government data centers (soon to be in preview). Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
Microsoft Defender ATP operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Microsoft Defender ATP uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service.
Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside.
## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
@ -84,12 +87,10 @@ Your data will be kept and will be available to you while the license is under g
## Can Microsoft help us maintain regulatory compliance?
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications.
Microsoft Defender ATP for Government (soon to be in preview) is currently undergoing audit for achieving FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5.
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
For more information on the Microsoft Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/trustcenter/compliance/iso-iec-27001).
For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink)

BIN
windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf
View File

Binary file not shown.

BIN
windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx
View File

Binary file not shown.

91
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Endpoint detection and response in block mode
description: Learn about endpoint detection and response in block mode
keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
author: denisebmsft
ms.author: deniseb
manager: dansimp
ms.reviewer: shwetaj
audience: ITPro
ms.topic: article
ms.prod: w10
ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
ms.collection:
---
# Endpoint detection and response (EDR) in block mode
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## What is EDR in block mode?
When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
> [!NOTE]
> EDR in block mode is currently in preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
## What happens when something is detected?
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something":::
## Enable EDR in block mode
> [!IMPORTANT]
> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. Choose **Settings** > **Advanced features**.
3. Turn on **EDR in block mode**.
> [!NOTE]
> EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.
## Requirements for EDR in block mode
|Requirement |Details |
|---------|---------|
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server 2016 or later |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/><br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled. <br/><br/>See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). |
|Windows Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. <br/>In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Windows Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. <br/> In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features.
## Frequently asked questions
### Will EDR in block mode have any impact on a user's antivirus protection?
No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
### Why do I need to keep Windows Defender Antivirus up to date?
Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date.
### Why do we need cloud protection on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models.
## Related articles
[Behavioral blocking and containment](behavioral-blocking-containment.md)
[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus)

19
windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
View File

@ -1,5 +1,5 @@
---
title: Enable ASR rules individually to protect your organization
title: Enable attack surface reduction rules individually to protect your organization
description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
@ -12,7 +12,7 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
ms.date: 05/05/2020
ms.reviewer:
manager: dansimp
---
@ -43,16 +43,10 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
> [!WARNING]
> [!IMPORTANT]
> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
>
> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
> [!IMPORTANT]
> File and folder exclusions do not apply to the following ASR rules:
>
> * Block process creations originating from PSExec and WMI commands
> * Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
@ -131,10 +125,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
## PowerShell
>[!WARNING]
>If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
> [!WARNING]
> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.

63
windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
View File

@ -17,24 +17,56 @@ audience: ITPro
manager: dansimp
---
# Enable network protection
# Turning on network protection
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
## Check if network protection is enabled
You can see if network protection has been enabled on a local device by using Registry editor.
1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
1. Choose **HKEY_LOCAL_MACHINE** from the side menu
1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager**
1. Select **EnableNetworkProtection** to see the current state of network protection on the device
* 0, or **Off**
* 1, or **On**
* 2, or **Audit** mode
## Enable network protection
You can enable network protection by using any of these methods:
* [PowerShell](#powershell)
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
## Intune
### PowerShell
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
You can enable the feature in audit mode using the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
### Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
@ -45,7 +77,7 @@ You can enable network protection by using any of these methods:
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
### MDM
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
@ -58,13 +90,13 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
1. Review the settings and click **Next** to create the policy.
1. After the policy is created, click **Close**.
## Group Policy
### Group Policy
You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
-Or-
*-Or-*
On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -89,23 +121,6 @@ You can confirm network protection is enabled on a local computer by using Regis
* 1=On
* 2=Audit
## PowerShell
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
You can enable the feature in audit mode using the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
## Related topics
* [Network protection](network-protection.md)

2
windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
View File

@ -67,6 +67,8 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts.
You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
## Integrate Microsoft Defender ATP with IBM QRadar

3
windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
View File

@ -58,6 +58,9 @@ Event ID | Description
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
> [!TIP]
> You can configure a [Windows Event Forwarding subscription](https://docs.microsoft.com/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally.
## Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.

16
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
View File

@ -1,7 +1,7 @@
---
title: OData queries with Microsoft Defender ATP
ms.reviewer:
description: OData queries with Microsoft Defender ATP
description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP
keywords: apis, supported apis, odata, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -35,7 +35,7 @@ Not all properties are filterable.
### Example 1
- Get all the machines with the tag 'ExampleTag'
Get all the machines with the tag 'ExampleTag'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@ -76,7 +76,7 @@ Content-type: application/json
### Example 2
- Get all the alerts that created after 2018-10-20 00:00:00
Get all the alerts that created after 2018-10-20 00:00:00
```
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
@ -126,7 +126,7 @@ Content-type: application/json
### Example 3
- Get all the machines with 'High' 'RiskScore'
Get all the machines with 'High' 'RiskScore'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
@ -167,7 +167,7 @@ Content-type: application/json
### Example 4
- Get top 100 machines with 'HealthStatus' not equals to 'Active'
Get top 100 machines with 'HealthStatus' not equals to 'Active'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
@ -208,7 +208,7 @@ Content-type: application/json
### Example 5
- Get all the machines that last seen after 2018-10-20
Get all the machines that last seen after 2018-10-20
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
@ -249,7 +249,7 @@ Content-type: application/json
### Example 6
- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
```
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
@ -283,7 +283,7 @@ Content-type: application/json
### Example 7
- Get the count of open alerts for a specific machine:
Get the count of open alerts for a specific machine:
```
HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related domains information
description: Retrieves all domains related to a specific alert.
description: Retrieve all domains related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get alert information, alert information, related domain
search.product: eADQiWindows 10XVcnh
ms.prod: w10

4
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related files information
description: Retrieves all files related to a specific alert.
description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get alert information, alert information, related files
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -97,7 +97,7 @@ Content-type: application/json
"fileType": null,
"isPeFile": true,
"filePublisher": "Microsoft Corporation",
"fileProductName": "Microsoft<66> Windows<77> Operating System",
"fileProductName": "Microsoft<66> Windows<77> Operating System",
"signer": "Microsoft Corporation",
"issuer": "Microsoft Code Signing PCA",
"signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related IPs information
description: Retrieves all IPs related to a specific alert.
description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get alert information, alert information, related ip
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related machine information
description: Retrieves all machines related to a specific alert.
description: Retrieve all machines related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get alert information, alert information, related machine
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
View File

@ -1,6 +1,6 @@
---
title: Get IP related alerts API
description: Retrieves a collection of alerts related to a given IP address.
description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, ip, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
View File

@ -1,6 +1,6 @@
---
title: Get IP statistics API
description: Retrieves the prevalence for the given IP.
description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
View File

@ -1,6 +1,6 @@
---
title: Get KB collection API
description: Retrieves a collection of KB's.
description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, kb
search.product: eADQiWindows 10XVcnh
search.appverid: met150

4
windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
View File

@ -1,6 +1,6 @@
---
title: Get machine log on users API
description: Retrieves a collection of logged on users.
description: Retrieve a collection of logged on users on a specific machine using Microsoft Defender ATP APIs.
keywords: apis, graph api, supported apis, get, machine, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -73,7 +73,7 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
```
GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
```
**Response**

2
windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
View File

@ -1,6 +1,6 @@
---
title: List machineActions API
description: Use this API to create calls related to get machineactions collection
description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection.
keywords: apis, graph api, supported apis, machineaction collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
View File

@ -1,6 +1,6 @@
---
title: Get machines security states collection API
description: Retrieves a collection of machines security states.
description: Retrieve a collection of machine security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
keywords: apis, graph api, supported apis, get, machine, security, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150

2
windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
View File

@ -1,6 +1,6 @@
---
title: Get user related alerts API
description: Retrieves a collection of alerts related to a given user ID.
description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, user, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10

0
windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg → windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 138 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 223 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 31 KiB

0
windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg → windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

Some files were not shown because too many files have changed in this diff Show More