deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into alluthewriter-4626590-Branch-2

Browse Source
This commit is contained in:
Tina Burden
2020-11-11 08:31:28 -08:00
committed by GitHub
parent 574286732f 6f4ada44c5
commit 82d48def96
35 changed files with 305 additions and 301 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -17,17 +17,17 @@ ms.topic: troubleshooting
## Overview
This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution.
This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution.
## Scenarios
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS.
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
## Known Issues
## Known issues
None
## Data Collection
## Data collection
See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md).
@ -35,11 +35,11 @@ See [Advanced troubleshooting 802.1X authentication data collection](data-collec
Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications.
NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy).
NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article.
Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it.
In the event message, scroll to the very bottom, and then check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
![example of an audit failure](images/auditfailure.png)
*Example: event ID 6273 (Audit Failure)*<br><br>
@ -47,35 +47,35 @@ In the event message, scroll to the very bottom, and check the [Reason Code](htt
![example of an audit success](images/auditsuccess.png)
*Example: event ID 6272 (Audit Success)*<br>
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example:
On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example:
![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png)
Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.).
Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure.
First, validate the type of EAP method being used:
First, validate the type of EAP method that's used:
![eap authentication type comparison](images/comparisontable.png)
If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section.
If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section.
![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
The CAPI2 event log will be useful for troubleshooting certificate-related issues.
This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**.
The CAPI2 event log is useful for troubleshooting certificate-related issues.
By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**.
![screenshot of event viewer](images/capi.png)
The following article explains how to analyze CAPI2 event logs:
For information about how to analyze CAPI2 event logs, see
[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
![authenticator flow chart](images/authenticator_flow_chart.png)
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples:
![client-side packet capture data](images/clientsidepacket_cap_data.png)
*Client-side packet capture data*<br><br>
@ -85,16 +85,16 @@ If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both
> [!NOTE]
> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below.
> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/), see the instructions under the **Help** menu in Network Monitor. Here's an example:
![ETL parse](images/etl.png)
## Audit policy
NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
By default, NPS audit policy (event logging) for connection success and failure is enabled. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
View the current audit policy settings by running the following command on the NPS server:
```
```console
auditpol /get /subcategory:"Network Policy Server"
```
@ -106,13 +106,12 @@ Logon/Logoff
Network Policy Server Success and Failure
</pre>
If it shows No auditing, you can run this command to enable it:
```
If it says, "No auditing," you can run this command to enable it:
```console
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
```
Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**.
Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**.
## Additional references

8
windows/client-management/manage-settings-app-with-group-policy.md
View File

@ -19,13 +19,13 @@ ms.topic: article
- Windows 10, Windows Server 2016
You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.
You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.
>[!Note]
>Each server that you want to manage access to the Settings App must be patched.
To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management.
If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app.
@ -39,7 +39,7 @@ Policy paths:
## Configuring the Group Policy
The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
>[!NOTE]
> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.

8
windows/client-management/mdm/esim-enterprise-management.md
View File

@ -12,8 +12,8 @@ ms.topic: conceptual
---
# How Mobile Device Management Providers support eSIM Management on Windows
The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following:
The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
- Onboard to Azure Active Directory
- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
- [HPEs Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
@ -21,8 +21,8 @@ The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Pro
- Assess solution type that you would like to provide your customers
- Batch/offline solution
- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
- Real-time solution
- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used
**Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator.
**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator.

114
windows/client-management/troubleshoot-inaccessible-boot-device.md
View File

@ -1,6 +1,6 @@
---
title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device
description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error may occur after some changes are made to the computer,
description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error might occur after some changes are made to the computer,
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
@ -15,27 +15,27 @@ manager: dansimp
# Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device
This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer.
This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error might occur after some changes are made to the computer, or immediately after you deploy Windows on the computer.
## Causes of the Inaccessible_Boot_Device Stop error
Any one of the following factors may cause the stop error:
Any one of the following factors might cause the stop error:
* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack
* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack
* File system corruption
* File system corruption
* Changes to the storage controller mode or settings in the BIOS
* Changes to the storage controller mode or settings in the BIOS
* Using a different storage controller than the one that was used when Windows was installed
* Using a different storage controller than the one that was used when Windows was installed
* Moving the hard disk to a different computer that has a different controller
* Moving the hard disk to a different computer that has a different controller
* A faulty motherboard or storage controller, or faulty hardware
* A faulty motherboard or storage controller, or faulty hardware
* In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions
* In unusual cases, the failure of the TrustedInstaller service to commit newly installed updates is because of component-based store corruptions
* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
## Troubleshoot this error
@ -43,9 +43,9 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com
1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088).
2. On the **Install Windows** screen, select **Next** > **Repair your computer** .
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** .
3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**.
### Verify that the boot disk is connected and accessible
@ -55,7 +55,7 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com
A list of the physical disks that are attached to the computer should be displayed and resemble the following display:
```
```console
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
@ -65,7 +65,7 @@ A list of the physical disks that are attached to the computer should be display
If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk (<em>) in the **GPT</em>* column.
If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column.
If the computer uses a basic input/output system (BIOS) interface, there won't be an asterisk in the **Dyn** column.
#### Step 2
@ -73,7 +73,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm
`list vol` generates an output that resembles the following display:
```
```console
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
@ -86,7 +86,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm
```
>[!NOTE]
>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer.
>If the disk that contains the OS isn't listed in the output, you'll have to engage the OEM or virtualization manufacturer.
### Verify the integrity of Boot Configuration Database
@ -94,57 +94,57 @@ Check whether the Boot Configuration Database (BCD) has all the correct entries.
To verify the BCD entries:
1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file.
1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file.
An example output if the computer is UEFI-based:
If the computer is UEFI-based, here's example output:
```
```cmd
device partition=\Device\HarddiskVolume2
path \EFI\Microsoft\Boot\bootmgfw.efi
```
An example output if the machine is BIOS based:
```
If the machine is BIOS-based, here's example output:
```cmd
Device partition=C:
```
>[!NOTE]
>This output may not contain a path.
>This output might not contain a path.
2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder.
2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder.
> [!NOTE]
> If the computer is UEFI-based, the filepath value specified in the **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension.
> If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension.
![bcdedit](images/screenshot1.png)
If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** .
If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**.
After the backup is completed, run the following command to make the changes:
After the backup completes, run the following command to make the changes:
<pre>bcdedit /set *{identifier}* option value</pre>
For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:`
For example, if the device under {default} is wrong or missing, run this command to set it: `bcdedit /set {default} device partition=C:`
If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
If you want to completely re-create the BCD, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`.
If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location, which is in the specified path in the **bcdedit** command. By default, **bootmgr** in the BIOS partition is in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`.
If the files are missing, and you want to rebuild the boot files, follow these steps:
1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows:
1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, like shown here:
```
D:\> Mkdir BootBackup
R:\> Copy *.* D:\BootBackup
```
```cmd
D:\> Mkdir BootBackup
R:\> Copy *.* D:\BootBackup
```
2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows:
2. If you're using Windows 10, or if you're troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, like shown here:
```cmd
Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
```
For example: if we assign the `<System Drive>` (WinRE drive) the letter R and the `<OSdrive>` is the letter D, this command would be the following:
For example, if we assign the `<System Drive>` (WinRE drive) the letter R and the `<OSdrive>` is the letter D, the following is the command that we would use:
```cmd
Bcdboot D:\windows /s R: /f ALL
@ -153,13 +153,13 @@ R:\> Copy *.* D:\BootBackup
>[!NOTE]
>The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations.
If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps:
If you don't have a Windows 10 ISO, format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps:
1. Start **Notepad** .
1. Start **Notepad**.
2. Press Ctrl+O.
3. Navigate to the system partition (in this example, it is R).
3. Navigate to the system partition (in this example, it's R).
4. Right-click the partition, and then format it.
@ -171,7 +171,7 @@ Run the following command to verify the Windows update installation and dates:
Dism /Image:<Specify the OS drive>: /Get-packages
```
After you run this command, you will see the **Install pending** and **Uninstall Pending** packages:
After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages:
![Dism output](images/pendingupdate.png)
@ -179,27 +179,27 @@ After you run this command, you will see the **Install pending** and **Uninstall
![Dism output](images/revertpending.png)
2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**.
2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**.
3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**.
3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**.
4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**.
5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive
5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive.
![Load Hive](images/loadhive.png)
6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive.
8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive.
9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value.
10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on.
10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it's **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on.
11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key.
@ -207,7 +207,7 @@ After you run this command, you will see the **Install pending** and **Uninstall
#### Check services
1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.)
1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after a Windows Update installation" section. (Step 11 doesn't apply to this procedure.)
2. Expand **Services**.
@ -225,9 +225,9 @@ After you run this command, you will see the **Install pending** and **Uninstall
* VOLUME
If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**.
If these keys exist, check each one to make sure that it has a value that's named **Start**, and that it's set to **0**. If it's not, set the value to **0**.
If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands:
If any of these keys don't exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands:
```cmd
cd OSdrive:\Windows\System32\config
@ -237,7 +237,7 @@ copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\c
#### Check upper and lower filter drivers
Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers:
Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they don't exist on another, similar working computer. If they do exist, remove the upper and lower filter drivers:
1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**.
@ -245,8 +245,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
>[!NOTE]
>These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**.
The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** :
You might find these filter drivers in some of the following registry entries. These entries are under **ControlSet** and are designated as **Default**:
\Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318}
@ -258,19 +258,19 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
![Registry](images/controlset.png)
If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value.
If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value.
>[!NOTE]
>There could be multiple entries.
The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry.
These entries might affect us because there might be an entry in the **Services** branch that has a START type set to 0 or 1, which means that it's loaded at the Boot or Automatic part of the boot process. Also, either the file that's referred to is missing or corrupted, or it might be named differently than what's listed in the entry.
>[!NOTE]
>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
>If there's a service that's set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
### Running SFC and Chkdsk
If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt:
If the computer still doesn't start, you can try to run a **chkdisk** process on the system drive, and then also run System File Checker. To do this, run the following commands at a WinRE command prompt:
* `chkdsk /f /r OsDrive:`

34
windows/client-management/troubleshoot-tcpip-connectivity.md
View File

@ -14,27 +14,33 @@ manager: dansimp
# Troubleshoot TCP/IP connectivity
You might come across connectivity errors on the application end or timeout errors. Most common scenarios would include application connectivity to a database server, SQL timeout errors, BizTalk application timeout errors, Remote Desktop Protocol (RDP) failures, file share access failures, or general connectivity.
You might come across connectivity errors on the application end or timeout errors. The following are the most common scenarios:
- Application connectivity to a database server
- SQL timeout errors
- BizTalk application timeout errors
- Remote Desktop Protocol (RDP) failures
- File share access failures
- General connectivity
When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture which could indicate a network issue.
When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture that could indicate a network issue.
* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures this is through the handshake process. Establishing a TCP session would begin with a 3-way handshake, followed by data transfer, and then a 4-way closure. The 4-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. Once the TIME_WAIT state is done, all the resources allocated for this connection are released.
* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures reliability is through the handshake process. Establishing a TCP session would begin with a three-way handshake, followed by data transfer, and then a four-way closure. The four-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. After the TIME_WAIT state completes, all the resources allocated for this connection are released.
* TCP reset is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased.
* TCP reset is an abrupt closure of the session; it causes the resources allocated to the connection to be immediately released and all other information about the connection is erased.
* TCP reset is identified by the RESET flag in the TCP header set to `1`.
A network trace on the source and the destination which will help you determine the flow of the traffic and see at what point the failure is observed.
A network trace on the source and the destination helps you to determine the flow of the traffic and see at what point the failure is observed.
The following sections describe some of the scenarios when you will see a RESET.
## Packet drops
When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up re-transmitting the data and when there is no response received, it would end the session by sending an ACK RESET( meaning, application acknowledges whatever data exchanged so far, but due to packet drop closing the connection).
When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up retransmitting the data and when there is no response received, it would end the session by sending an ACK RESET (this means that the application acknowledges whatever data is exchanged so far, but because of packet drop, the connection is closed).
The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets.
If the initial TCP handshake is failing because of packet drops then you would see that the TCP SYN packet is retransmitted only 3 times.
If the initial TCP handshake is failing because of packet drops, then you would see that the TCP SYN packet is retransmitted only three times.
Source side connecting on port 445:
@ -44,7 +50,7 @@ Destination side: applying the same filter, you do not see any packets.
![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png)
For the rest of the data, TCP will retransmit the packets 5 times.
For the rest of the data, TCP will retransmit the packets five times.
**Source 192.168.1.62 side trace:**
@ -58,16 +64,16 @@ If you are seeing that the SYN packets are reaching the destination, but the des
## Incorrect parameter in the TCP header
You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being re-played by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source.
You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being replayed by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source.
In this case, you will again need help from the network team to identify any such device which is modifying packets or re-playing packets to the destination. The most common ones are RiverBed devices or WAN accelerators.
In this case, you'll again need help from the network team to identify any device that's modifying packets or replaying packets to the destination. The most common ones are RiverBed devices or WAN accelerators.
## Application side reset
When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset.
The application resets are the ones where you see the Acknowledgement flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received.
The application resets are the ones where you see the Acknowledgment flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received.
In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source.
@ -83,7 +89,7 @@ You also see an ACK+RST flag packet in a case when the TCP establishment packet
![Screenshot of packet flag](images/tcp-ts-11.png)
The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection.
The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection.
>[!Note]
>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet
@ -96,7 +102,7 @@ The application which is causing the reset (identified by port numbers) should b
```
During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet.
During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. To understand whether the local firewall is dropping the packet, enable the firewall auditing on the machine.
```
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
@ -106,6 +112,6 @@ You can then review the Security event logs to see for a packet drop on a partic
![Screenshot of Event Properties](images/tcp-ts-12.png)
Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection.
![Screenshot of wfpstate.xml file](images/tcp-ts-13.png)

6
windows/security/threat-protection/auditing/audit-detailed-file-share.md
View File

@ -37,9 +37,9 @@ There are no system access control lists (SACLs) for shared folders. If this pol
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. |
| Member Server | IF | Yes | IF | Yes | IF If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the clients IP address.<br>The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
| Workstation | IF | Yes | IF | Yes | IF If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the clients IP address.<br>The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume should not be high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. |
| Member Server | IF | Yes | IF | Yes | IF If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the clients IP address.<br>The volume of Failure events for member servers should not be high (if they are not File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
| Workstation | IF | Yes | IF | Yes | IF If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the clients IP address.<br>The volume of Failure events for workstations should not be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
**Events List:**

15
windows/security/threat-protection/auditing/audit-group-membership.md
View File

@ -1,6 +1,6 @@
---
title: Audit Group Membership (Windows 10)
description: The advanced security audit policy setting, Audit Group Membership, enables you to audit group memberships when they are enumerated on the client PC.
description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
ms.reviewer:
manager: dansimp
@ -20,8 +20,7 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer.
By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
@ -33,15 +32,15 @@ Multiple events are generated if the group membership information cannot fit in
**Event volume**:
- Low on a client computer.
- Low on a client computer.
- Medium on a domain controller or network servers.
- Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Domain Controller | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
| Workstation | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
**Events List:**

10
windows/security/threat-protection/auditing/audit-logoff.md
View File

@ -23,7 +23,7 @@ ms.date: 07/16/2018
Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
These events occur on the computer that was accessed. For an interactive logon, these events are generated on the computer that was logged on to.
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
@ -31,13 +31,13 @@ Logon events are essential to understanding user activity and detecting potentia
**Event volume**: High.
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff, the security audit event is generated on the computer that the user account logged on to.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**

8
windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
View File

@ -1,6 +1,6 @@
---
title: Audit Non Sensitive Privilege Use (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
title: Audit Non-Sensitive Privilege Use (Windows 10)
description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
ms.reviewer:
manager: dansimp
@ -14,14 +14,14 @@ author: dansimp
ms.date: 04/19/2017
---
# Audit Non Sensitive Privilege Use
# Audit Non-Sensitive Privilege Use
**Applies to**
- Windows 10
- Windows Server 2016
Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
- Access Credential Manager as a trusted caller

2
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
View File

@ -26,7 +26,7 @@ ms.topic: conceptual
To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
> [!IMPORTANT]
> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions.
> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-for-endpoint-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions.
## Enable the Insider program with Jamf

10
windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
View File

@ -17,16 +17,16 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# View and organize the Microsoft Defender ATP Devices list
# View and organize the Microsoft Defender for Endpoint Devices list
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices with alerts seen in the last 30 days.
@ -61,7 +61,7 @@ The exposure level reflects the current exposure of the device based on the cumu
If the exposure level says "No data available," there are a few reasons why this may be the case:
- Device stopped reporting for more than 30 days in that case it is considered inactive, and the exposure isn't computed
- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md)
- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)
- Device with stale agent (very unlikely)
### OS Platform
@ -106,4 +106,4 @@ Filter the list based on the grouping and tagging that you've added to individua
## Related topics
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)

26
windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
View File

@ -17,17 +17,17 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Manage Microsoft Defender Advanced Threat Protection alerts
# Manage Microsoft Defender for Endpoint alerts
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
Defender for Endpoint notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Device page for an individual device.
@ -43,7 +43,7 @@ If an alert is not yet assigned, you can select **Assign to me** to assign the a
## Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Defender for Endpoint lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
@ -82,7 +82,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
3. Select the **Triggering IOC**.
4. Specify the action and scope on the alert. <br>
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Microsoft Defender ATP APIs. <br><br> Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Defender for Endpoint APIs. <br><br> Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Defender for Endpoint APIs.
5. Enter a rule name and a comment.
@ -120,10 +120,10 @@ Added comments instantly appear on the pane.
## Related topics
- [Manage suppression rules](manage-suppression-rules.md)
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md)
- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)

2
windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
View File

@ -61,7 +61,7 @@ The following table lists various tasks you can perform to configure Microsoft D
|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) |
|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)<br/><br/>[Policy CSP - Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) |
|**If necessary, specify exclusions for Microsoft Defender Antivirus** <br/><br/>*Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)<br/><br/>[Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions) <br/><br/>[Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers<br/><br/>*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)<br/><br/>[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)<br/><br/>[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)<br/><br/>[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers<br/><br/>*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint ](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)<br/><br/>[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)<br/><br/>[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)<br/><br/>[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations <br/><br/>*Network filtering is also referred to as [network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection).*<br/><br/>*Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)<br/><br/>[Review network protection events in Windows Event Viewer](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) |
|**Configure controlled folder access** to protect against ransomware <br/><br/>*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <br/><br/>[Enable controlled folder access in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#intune) |
|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices <br/><br/> *[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard) <br/><br/>[Enable exploit protection in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection#intune) |

2
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -69,7 +69,7 @@ The following table summarizes remediation actions following an automated invest
|Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence. <br/><br/>No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) |
|**No automated response** (this is not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) |
In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
> [!TIP]
> To learn more about remediation actions following an automated investigation, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).

4
windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
View File

@ -25,11 +25,11 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.

4
windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
View File

@ -25,11 +25,11 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.

4
windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
View File

@ -19,13 +19,13 @@ ms.collection:
ms.topic: article
---
# Manage Microsoft Defender ATP incidents
# Manage Microsoft Defender for Endpoint incidents
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.

12
windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
View File

@ -24,22 +24,22 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to.
Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV).
Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV).
**Cloud detection engine**<br>
The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.
The cloud detection engine of Defender for Endpoint regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.
**Endpoint prevention engine**<br>
The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run.
The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run.
**Automated investigation and remediation engine**<BR>
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
@ -64,5 +64,5 @@ You can create an indicator for:
## Related topics
- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
- [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
- [Use the Microsoft Defender for Endpoint indicators API](ti-indicator.md)
- [Use partner integrated solutions](partner-applications.md)

2
windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts.md).

32
windows/security/threat-protection/microsoft-defender-atp/management-apis.md
View File

@ -24,19 +24,19 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink)
Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
Defender for Endpoint supports a wide variety of options to ensure that customers can easily adopt the platform.
Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements.
Acknowledging that customer environments and structures can vary, Defender for Endpoint was created with flexibility and granular control to fit varying customer requirements.
## Endpoint onboarding and portal access
Device onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for devices management.
Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
Defender for Endpoint provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
- Globally distributed organizations and security teams
- Tiered model security operations teams
- Fully segregated divisions with single centralized global security operations teams
@ -44,30 +44,30 @@ Microsoft Defender ATP provides fine-grained control over what users with access
## Available APIs
The Microsoft Defender ATP solution is built on top of an integration-ready platform.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities.
![Image of available API and integration in Microsoft Defender ATP](images/mdatp-apis.png)
![Image of available API and integration in Microsoft Defender for Endpoint](images/mdatp-apis.png)
The Microsoft Defender ATP APIs can be grouped into three:
- Microsoft Defender ATP APIs
The Defender for Endpoint APIs can be grouped into three:
- Microsoft Defender for Endpoint APIs
- Raw data streaming API
- SIEM integration
## Microsoft Defender ATP APIs
## Microsoft Defender for Endpoint APIs
Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
Defender for Endpoint offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
Watch this video for a quick overview of Microsoft Defender ATP's APIs.
Watch this video for a quick overview of Defender for Endpoint's APIs.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see, [Supported APIs](exposed-apis-list.md).
The **Investigation API** exposes the richness of Defender for Endpoint - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see, [Supported APIs](exposed-apis-list.md).
The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others.
## Raw data streaming API
Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
Defender for Endpoint raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
For more information, see, [Raw data streaming API](raw-data-export.md).
@ -76,7 +76,7 @@ For more information, see, [Raw data streaming API](raw-data-export.md).
When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see, [SIEM integration](enable-siem-integration.md)
## Related topics
- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)
- [Access the Microsoft Defender for Endpoint APIs ](apis-intro.md)
- [Supported APIs](exposed-apis-list.md)
- [Technical partner opportunities](partner-integration.md)

4
windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
View File

@ -24,12 +24,12 @@ ms.date: 09/22/2020
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
# Migrate from McAfee to Microsoft Defender Advanced Threat Protection
# Migrate from McAfee to Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration.
If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration.
## The migration process

4
windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
View File

@ -34,10 +34,10 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
||*You are here!* | |
**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
3. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee).
3. [Add Microsoft Defender for Endpoint to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee).
4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).

12
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
View File

@ -25,26 +25,26 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration.
To benefit from Microsoft Defender for Endpoint cloud app discovery signals, turn on Microsoft Cloud App Security integration.
>[!NOTE]
>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
> See [Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security.
> See [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security.
## Enable Microsoft Cloud App Security in Microsoft Defender ATP
## Enable Microsoft Cloud App Security in Microsoft Defender for Endpoint
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select **Microsoft Cloud App Security** and switch the toggle to **On**.
3. Click **Save preferences**.
Once activated, Microsoft Defender ATP will immediately start forwarding discovery signals to Cloud App Security.
Once activated, Microsoft Defender for Endpoint will immediately start forwarding discovery signals to Cloud App Security.
## View the data collected
To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security).
To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security).
For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).

12
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
View File

@ -19,12 +19,12 @@ ms.topic: conceptual
ms.date: 10/18/2018
---
# Microsoft Cloud App Security in Microsoft Defender ATP overview
# Microsoft Cloud App Security in Defender for Endpoint overview
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
@ -33,9 +33,9 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th
>[!NOTE]
>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later.
## Microsoft Defender ATP and Cloud App Security integration
## Microsoft Defender for Endpoint and Cloud App Security integration
Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender for Endpoint integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
@ -44,9 +44,9 @@ The integration provides the following major improvements to the existing Cloud
- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.
- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go.
- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Defender for Endpoint and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go.
- Device context - Cloud traffic logs lack device context. Microsoft Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it.
- Device context - Cloud traffic logs lack device context. Defender for Endpoint network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it.
For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).

30
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
View File

@ -24,14 +24,14 @@ ms.topic: conceptual
> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
<p></p>
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob]
>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4wDob]
Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
- **Cloud security analytics**: Leveraging big-data, device-learning, and
@ -42,12 +42,12 @@ Microsoft Defender ATP uses the following combination of technology built into W
- **Threat intelligence**: Generated by Microsoft hunters, security teams,
and augmented by threat intelligence provided by partners, threat
intelligence enables Microsoft Defender ATP to identify attacker
intelligence enables Defender for Endpoint to identify attacker
tools, techniques, and procedures, and generate alerts when they
are observed in collected sensor data.
<center><h2>Microsoft Defender ATP</center></h2>
<center><h2>Microsoft Defender for Endpoint</center></h2>
<table>
<tr>
<td><a href="#tvm"><center><img src="images/TVM_icon.png"> <br><b>Threat & Vulnerability Management</b></center></a></td>
@ -69,11 +69,11 @@ Microsoft Defender ATP uses the following combination of technology built into W
<p></p>
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0]
>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0]
> [!TIP]
> - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
> - Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
<a name="tvm"></a>
@ -104,15 +104,15 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**<br>
Microsoft Defender ATP includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
Defender for Endpoint includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
<a name="mte"></a>
**[Microsoft Threat Experts](microsoft-threat-experts.md)**<br>
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
>[!IMPORTANT]
>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.<p>
>Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.<p>
><p>If you are not enrolled yet and would like to experience its benefits, go to <b>Settings</b> > <b>General</b> > <b>Advanced features</b> > <b>Microsoft Threat Experts</b> to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
<a name="apis"></a>
@ -123,7 +123,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
<a name="mtp"></a>
**[Integration with Microsoft solutions](threat-protection-integration.md)** <br>
Microsoft Defender ATP directly integrates with various Microsoft solutions, including:
Defender for Endpoint directly integrates with various Microsoft solutions, including:
- Intune
- Office 365 ATP
- Azure ATP
@ -132,8 +132,8 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
- Microsoft Cloud App Security
**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**<br>
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
With Microsoft Threat Protection, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
## Related topic
[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/en-us/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)
[Microsoft Defender for Endpoint helps detect sophisticated threats](https://www.microsoft.com/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)

28
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
View File

@ -20,24 +20,24 @@ ms.collection:
ms.topic: conceptual
---
# Microsoft Defender Advanced Threat Protection for Android
# Microsoft Defender for Endpoint for Android
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
This topic describes how to install, configure, update, and use Defender for Endpoint for Android.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Android is likely to cause performance problems and unpredictable system errors.
> Running other third-party endpoint protection products alongside Defender for Endpoint for Android is likely to cause performance problems and unpredictable system errors.
## How to install Microsoft Defender ATP for Android
## How to install Microsoft Defender for Endpoint for Android
### Prerequisites
- **For end users**
- Microsoft Defender ATP license assigned to the end user(s) of the app. See [Microsoft Defender ATP licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
- Intune Company Portal app can be downloaded from [Google
Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
@ -57,7 +57,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend
- Access to the Microsoft Defender Security Center portal.
> [!NOTE]
> Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender ATP for Android. Currently only enrolled devices are supported for enforcing Microsoft Defender ATP for Android related device compliance policies in Intune.
> Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for Android. Currently only enrolled devices are supported for enforcing Defender for Endpoint for Android related device compliance policies in Intune.
- Access [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the
@ -72,24 +72,24 @@ This topic describes how to install, configure, update, and use Microsoft Defend
### Installation instructions
Microsoft Defender ATP for Android supports installation on both modes of
Microsoft Defender for Endpoint for Android supports installation on both modes of
enrolled devices - the legacy Device Administrator and Android Enterprise modes.
**Currently, only Work Profile enrolled devices are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
Deployment of Microsoft Defender ATP for Android is via Microsoft Intune (MDM).
For more information, see [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md).
Deployment of Microsoft Defender for Endpoint for Android is via Microsoft Intune (MDM).
For more information, see [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md).
> [!NOTE]
> **Microsoft Defender ATP for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.** <br> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes.
> **Microsoft Defender for Endpoint for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.** <br> You can connect to Google Play from Intune to deploy Microsoft Defender for Endpoint app, across Device Administrator and Android Enterprise entrollment modes.
## How to Configure Microsoft Defender ATP for Android
## How to Configure Microsoft Defender for Endpoint for Android
Guidance on how to configure Microsoft Defender ATP for Android features is available in [Configure Microsoft Defender ATP for Android features](android-configure.md).
Guidance on how to configure Microsoft Defender for Endpoint for Android features is available in [Configure Microsoft Defender for Endpoint for Android features](android-configure.md).
## Related topics
- [Deploy Microsoft Defender ATP for with Microsoft Intune](android-intune.md)
- [Configure Microsoft Defender ATP for Android features](android-configure.md)
- [Deploy Microsoft Defender for Endpoint for with Microsoft Intune](android-intune.md)
- [Configure Microsoft Defender for Endpoint for Android features](android-configure.md)

10
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
View File

@ -20,7 +20,7 @@ ms.collection:
ms.topic: conceptual
---
# Microsoft Defender Advanced Threat Protection for iOS
# Microsoft Defender for Endpoint for iOS
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -33,7 +33,7 @@ ms.topic: conceptual
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
The public preview of Microsoft Defender ATP for iOS will offer protection
The public preview of Defender for Endpoint for iOS will offer protection
against phishing and unsafe network connections from websites, emails, and apps.
All alerts will be available through a single pane of glass in the Microsoft
Defender Security Center. The portal gives security teams a centralized view of threats on
@ -44,7 +44,7 @@ iOS devices along with other platforms.
**For End Users**
- Microsoft Defender ATP license assigned to the end user(s) of the app. Refer
- Defender for Endpoint license assigned to the end user(s) of the app. Refer
[Assign licenses to
users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
for instructions on how to assign licenses.
@ -74,5 +74,5 @@ iOS devices along with other platforms.
## Next steps
- [Deploy Microsoft Defender ATP for iOS](ios-install.md)
- [Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
- [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md)
- [Configure Microsoft Defender for Endpoint for iOS features](ios-configure-features.md)

36
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -20,17 +20,17 @@ ms.collection:
ms.topic: conceptual
---
# Microsoft Defender ATP for Linux
# Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Linux.
This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint for Linux.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.
> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint for Linux is likely to cause performance problems and unpredictable system errors.
## How to install Microsoft Defender ATP for Linux
## How to install Microsoft Defender for Endpoint for Linux
### Prerequisites
@ -40,19 +40,19 @@ This topic describes how to install, configure, update, and use Microsoft Defend
### Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux.
There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint for Linux.
In general you need to take the following steps:
- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the [Microsoft Defender ATP portal](microsoft-defender-security-center.md).
- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods:
- Ensure that you have a Microsoft Defender for Endpoint subscription, and that you have access to the [Microsoft Defender for Endpoint portal](microsoft-defender-security-center.md).
- Deploy Microsoft Defender for Endpoint for Linux using one of the following deployment methods:
- The command-line tool:
- [Manual deployment](linux-install-manually.md)
- Third-party management tools:
- [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
- [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender ATP for Linux](linux-support-install.md).
If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender for Endpoint for Linux](linux-support-install.md).
### System requirements
@ -68,7 +68,7 @@ If you experience any installation failures, refer to [Troubleshooting installat
- Minimum kernel version 3.10.0-327
- The `fanotify` kernel option must be enabled
> [!CAUTION]
> Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
> Running Defender for Endpoint for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
- Disk space: 1GB
- The solution currently provides real-time protection for the following file system types:
@ -99,33 +99,33 @@ The following downloadable spreadsheet lists the services and their associated U
|**Spreadsheet of domains list**|**Description**|
|:-----|:-----|
|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
> [!NOTE]
> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
Defender for Endpoint can discover a proxy server by using the following discovery methods:
- Transparent proxy
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Defender for Endpoint. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
> [!WARNING]
> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
>
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md).
For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Linux](linux-support-connectivity.md).
## How to update Microsoft Defender ATP for Linux
## How to update Microsoft Defender for Endpoint for Linux
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md).
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint for Linux, refer to [Deploy updates for Microsoft Defender for Endpoint for Linux](linux-updates.md).
## How to configure Microsoft Defender ATP for Linux
## How to configure Microsoft Defender for Endpoint for Linux
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md).
## Resources

46
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
View File

@ -20,38 +20,38 @@ ms.collection:
ms.topic: conceptual
---
# Microsoft Defender Advanced Threat Protection for Mac
# Microsoft Defender for Endpoint for Mac
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
This topic describes how to install, configure, update, and use Defender for Endpoint for Mac.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode).
> Running other third-party endpoint protection products alongside Defender for Endpoint for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode).
## Whats new in the latest release
[What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md)
[What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-atp.md)
[What's new in Microsoft Defender ATP for Mac](mac-whatsnew.md)
[What's new in Microsoft Defender for Endpoint for Mac](mac-whatsnew.md)
> [!TIP]
> If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**.
> If you have any feedback that you would like to share, submit it by opening Defender for Endpoint for Mac on your device and navigating to **Help** > **Send feedback**.
To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender ATP to be an "Insider" device. See [Enable Microsoft Defender ATP Insider Device](endpoint-detection-response-mac-preview.md).
To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Defender for Endpoint to be an "Insider" device. See [Enable Microsoft Defender for Endpoint Insider Device](endpoint-detection-response-mac-preview.md).
## How to install Microsoft Defender ATP for Mac
## How to install Microsoft Defender for Endpoint for Mac
### Prerequisites
- A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal
- A Defender for Endpoint subscription and access to the Microsoft Defender Security Center portal
- Beginner-level experience in macOS and BASH scripting
- Administrative privileges on the device (in case of manual deployment)
### Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
There are several methods and deployment tools that you can use to install and configure Defender for Endpoint for Mac.
- Third-party management tools:
- [Microsoft Intune-based deployment](mac-install-with-intune.md)
@ -74,15 +74,15 @@ After you've enabled the service, you may need to configure your network or fire
### Licensing requirements
Microsoft Defender Advanced Threat Protection for Mac requires one of the following Microsoft Volume Licensing offers:
Microsoft Defender for Endpoint for Mac requires one of the following Microsoft Volume Licensing offers:
- Microsoft 365 E5 (M365 E5)
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
> [!NOTE]
> Eligible licensed users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
> Eligible licensed users may use Defender for Endpoint on up to five concurrent devices.
> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
### Network connections
@ -92,11 +92,11 @@ The following downloadable spreadsheet lists the services and their associated U
|**Spreadsheet of domains list**|**Description**|
|:-----|:-----|
|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
Defender for Endpoint can discover a proxy server by using the following discovery methods:
- Proxy autoconfig (PAC)
- Web Proxy Autodiscovery Protocol (WPAD)
- Manual static proxy configuration
@ -106,7 +106,7 @@ If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t
> [!WARNING]
> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.
>
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
@ -125,25 +125,25 @@ The output from this command should be similar to the following:
> [!CAUTION]
> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
Once Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:
```bash
mdatp --connectivity-test
```
## How to update Microsoft Defender ATP for Mac
## How to update Microsoft Defender for Endpoint for Mac
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md)
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Defender for Endpoint for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md)
## How to configure Microsoft Defender ATP for Mac
## How to configure Microsoft Defender for Endpoint for Mac
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
## macOS kernel and system extensions
In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit [What's new in Microsoft Defender Advanced Threat Protection for Mac](mac-whatsnew.md) for relevant details.
In alignment with macOS evolution, we are preparing a Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. Visit [What's new in Microsoft Defender for Endpoint for Mac](mac-whatsnew.md) for relevant details.
## Resources
- For more information about logging, uninstalling, or other topics, see the [Resources](mac-resources.md) page.
- [Privacy for Microsoft Defender ATP for Mac](mac-privacy.md)
- [Privacy for Microsoft Defender for Endpoint for Mac](mac-privacy.md)

6
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
View File

@ -24,7 +24,7 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
Microsoft Defender Security Center is the portal where you can access Microsoft Defender for Endpoint capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
## In this section
@ -35,9 +35,9 @@ Get started | Learn about the minimum requirements, validate licensing and com
[Understand the portal](use.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
Investigate and remediate threats | Investigate alerts, devices, and take response actions to remediate threats.
API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center.
Reporting | Create and build Power BI reports using Microsoft Defender ATP data.
Reporting | Create and build Power BI reports using Defender for Endpoint data.
Check service health and sensor state | Verify that the service is running and check the sensor state on devices.
[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
[Access the Microsoft Defender ATP Community Center](community.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product.
[Access the Microsoft Defender for Endpoint Community Center](community.md) | Access the Defender for Endpoint Community Center to learn, collaborate, and share experiences about the product.
[Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.

4
windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
View File

@ -25,7 +25,7 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments dont get missed.
@ -40,7 +40,7 @@ Watch this video for a quick overview of Microsoft Threat Experts.
> [!NOTE]
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.

4
windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
View File

@ -29,8 +29,8 @@ If you're considering switching from a non-Microsoft threat protection solution
|Scenario |Guidance |
|:--|:--|
|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender ATP evaluation lab](evaluation-lab.md) |
|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender Advanced Threat Protection deployment guide](deployment-phases.md) |
|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md) |
|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender for Endpoint deployment guide](deployment-phases.md) |
|You're planning to migrate from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md) |
|You're planning to migrate from Symantec Endpoint Protection (Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md) |
|You're planning to migrate from a non-Microsoft endpoint protection solution (other than McAfee or Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |

44
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -17,25 +17,25 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Minimum requirements for Microsoft Defender ATP
# Minimum requirements for Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink).
> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink).
> [!TIP]
> - Learn about the latest enhancements in Microsoft Defender ATP: [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
> - Learn about the latest enhancements in Microsoft Defender for Endpoint: [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
> - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Microsoft Defender for Endpoint requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education A5
@ -44,18 +44,18 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Microsoft 365 A5 (M365 A5)
> [!NOTE]
> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
> Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five concurrent devices.
> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
Microsoft Defender for Endpoint, on Windows Server, requires one of the following licensing options:
- [Azure Security Center with Azure Defender enabled](https://docs.microsoft.com/azure/security-center/security-center-pricing)
- Microsoft Defender ATP for Servers (one per covered server)
- Defender for Endpoint for Servers (one per covered server)
> [!NOTE]
> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux.
> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Defender for Endpoint for Servers (one per covered Server OSE): Microsoft Defender for Endpoint, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Defender for Endpoint for Linux.
For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn the detailed terms and conditions for the product.
@ -64,7 +64,7 @@ For more information on the array of features in Windows 10 editions, see [Compa
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wfbdevicemanagementprod.blob.core.windows.net/windowsforbusiness/Windows10_CommercialEdition_Comparison.pdf).
## Browser requirements
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
Access to Defender for Endpoint is done through a browser, supporting the following browsers:
- Microsoft Edge
- Internet Explorer version 11
- Google Chrome
@ -94,7 +94,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
Devices on your network must be running one of these editions.
The hardware requirements for Microsoft Defender ATP on devices are the same for the supported editions.
The hardware requirements for Defender for Endpoint on devices are the same for the supported editions.
> [!NOTE]
> Machines running mobile versions of Windows are not supported.
@ -110,22 +110,22 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
- macOS
> [!NOTE]
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Defender for Endpoint for the integration to work.
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender for Endpoint-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
> [!NOTE]
> - You cannot change your data storage location after the first-time setup.
> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
> - Review the [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
### Diagnostic data settings
> [!NOTE]
> Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled.
> Microsoft Defender for Endpoint doesn't require any specific diagnostic level as long as it's enabled.
Make sure that the diagnostic data service is enabled on all the devices in your organization.
By default, this service is enabled. It's good practice to check to ensure that you'll get sensor data from them.
@ -176,7 +176,7 @@ You'll need to set the service to automatically start if the **START_TYPE** is n
#### Internet connectivity
Internet connectivity on devices is required either directly or through proxy.
The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5 MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
The Defender for Endpoint sensor can utilize a daily average bandwidth of 5 MB to communicate with the Defender for Endpoint cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
@ -184,11 +184,11 @@ Before you onboard devices, the diagnostic data service must be enabled. The ser
## Microsoft Defender Antivirus configuration requirement
The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
The Defender for Endpoint agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
Configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
Configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode.
When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Defender for Endpoint service, Microsoft Defender Antivirus goes on passive mode.
If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
@ -201,7 +201,7 @@ If you are onboarding servers and Microsoft Defender Antivirus is not the active
For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Microsoft Defender ATP agent will successfully onboard.
If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).

8
windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
View File

@ -21,12 +21,12 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Logo |Partner name | Description
:---|:---|:---
![Image of BDO Digital logo](images/bdo-logo.png)| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense leverages best practice tools, AI, and in-house security experts for 24/7/365 identity protection
![Image of BlueVoyant logo](images/bluevoyant-logo.png)| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender ATP provides support in monitoring, investigating, and mitigating advanced attacks on endpoints
![Image of BlueVoyant logo](images/bluevoyant-logo.png)| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender for Endpoint provides support in monitoring, investigating, and mitigating advanced attacks on endpoints
![Image of Cloud Security Center logo](images/cloudsecuritycenter-logo.png)| [Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Security Center is a 24x7 managed service that delivers protect, detect & respond capabilities
![Image of Cloud SOC logo](images/cloudsoc-logo.png)| [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture
![Image of CSIS Managed Detection & Response logo](images/csis-logo.png)| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place
@ -36,8 +36,8 @@ Logo |Partner name | Description
![Image of Red Canary logo](images/redcanary-logo.png)| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes
![Image of SecureWorks Managed Detection and Response Powered by Red Cloak logo](images/secureworks-logo.png)| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions
![Image of sepagoSOC logo](images/sepago-logo.png)| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment
![Image of Trustwave Threat Detection & Response Services logo](images/trustwave-logo.png)| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Microsoft Defender ATP
![Image of Wortell's cloud SOC logo](images/wortell-logo.png)| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Microsoft Defender ATP service for monitoring & response
![Image of Trustwave Threat Detection & Response Services logo](images/trustwave-logo.png)| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Defender for Endpoint.
![Image of Wortell's cloud SOC logo](images/wortell-logo.png)| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Defender for Endpoint service for monitoring & response
![Image of Zero Trust Analytics Platform (ZTAP) logo](images/ztap-logo.png)| [Zero Trust Analytics Platform (ZTAP)](https://go.microsoft.com/fwlink/?linkid=2090971) | Reduce your alerts by 99% and access a full range of security capabilities from mobile devices
## Related topics

8
windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
View File

@ -23,18 +23,18 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Microsoft Defender ATP.
To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Defender for Endpoint.
Microsoft Defender ATP adds partnership opportunities for this scenario and allows MSSPs to take the following actions:
Defender for Endpoint adds partnership opportunities for this scenario and allows MSSPs to take the following actions:
- Get access to MSSP customer's Microsoft Defender Security Center portal
- Get email notifications, and