From 87d4839f8baf1e1f4540dc6fae82fa886c6b9968 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 1 Feb 2021 23:26:36 +0100 Subject: [PATCH 1/4] MarkDown code blocks & whitespace (ref. #9053) Corrections to PR #9053 / commit https://github.com/MicrosoftDocs/windows-itpro-docs/commit/9856688ff24ecbf4fe47f7446b9ef9182d2de3a4 A misunderstanding in PR #9053 caused the addition of unneeded & unwanted blank lines within the PowerShell PUA code blocks for the 3 variations of `Set-MpPreference -PUAProtection` and the console output, as well as missing the opportunity to add editorial blank lines below the code blocks, for easier future editing. Ref. PR #9053 / commit https://github.com/MicrosoftDocs/windows-itpro-docs/commit/9856688ff24ecbf4fe47f7446b9ef9182d2de3a4 --- ...lly-unwanted-apps-microsoft-defender-antivirus.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 5b962456c2..15e0a33178 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -134,19 +134,17 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell - Set-MpPreference -PUAProtection Enabled - ``` + Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell - Set-MpPreference -PUAProtection AuditMode - ``` + Setting `AuditMode` detects PUAs without blocking them. ##### To disable PUA protection @@ -154,10 +152,9 @@ Setting `AuditMode` detects PUAs without blocking them. We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell - Set-MpPreference -PUAProtection Disabled - ``` + Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. @@ -167,7 +164,6 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: ```console - CategoryID : 27 DidThreatExecute : False IsActive : False @@ -188,7 +184,7 @@ See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for d ### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). From 2beb86cdd0a6358b3f0a67a9fb02f357f9f2a10c Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 3 Feb 2021 17:55:27 +0200 Subject: [PATCH 2/4] Update controlled-folders.md Some customers opened support tickets wanting to know why CFA blocks did not create alerts in our portal... so I think we should add this note to avoid customer confusion... --- .../microsoft-defender-atp/controlled-folders.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index f193b2eca8..34b3992bb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -35,6 +35,9 @@ Controlled folder access helps protect your valuable data from malicious apps an Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +> [!NOTE] +> Controlled folder access blocks do not generate alerts in the [Alert queue](../microsoft-defender-atp/alerts-queue.md). However, they do provide valuable information that will appear in the [Device Timeline](../microsoft-defender-atp/investigate-machines.md), [Advanced Hunting](../microsoft-defender-atp/advanced-hunting-overview.md) or can be used when building [Custom Detections](../microsoft-defender-atp/custom-detection-rules.md). + ## How does controlled folder access work? Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. From c83e76a75f9034bee1fb03ec7fc0c6e29dc91cb9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 09:20:25 -0800 Subject: [PATCH 3/4] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 34b3992bb5..5d79d2db3f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -1,5 +1,5 @@ --- -title: Prevent ransomware and threats from encrypting and changing files +title: Protect important folders from ransomware from encrypting your files with controlled folder access description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files. keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders search.product: eADQiWindows 10XVcnh @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 12/17/2020 +ms.date: 02/03/2021 ms.reviewer: v-maave manager: dansimp ms.custom: asr @@ -35,8 +35,8 @@ Controlled folder access helps protect your valuable data from malicious apps an Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -> [!NOTE] -> Controlled folder access blocks do not generate alerts in the [Alert queue](../microsoft-defender-atp/alerts-queue.md). However, they do provide valuable information that will appear in the [Device Timeline](../microsoft-defender-atp/investigate-machines.md), [Advanced Hunting](../microsoft-defender-atp/advanced-hunting-overview.md) or can be used when building [Custom Detections](../microsoft-defender-atp/custom-detection-rules.md). +> [!TIP] +> Controlled folder access blocks don't generate alerts in the [Alerts queue](../microsoft-defender-atp/alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](../microsoft-defender-atp/investigate-machines.md), while using [advanced hunting](../microsoft-defender-atp/advanced-hunting-overview.md), or with [custom detection rules](../microsoft-defender-atp/custom-detection-rules.md). ## How does controlled folder access work? @@ -46,7 +46,7 @@ Controlled folder access works with a list of trusted apps. If an app is include Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. -Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. +Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. ## Why controlled folder access is important @@ -120,17 +120,11 @@ The following table shows events related to controlled folder access: You can use the Windows Security app to view the list of folders that are protected by controlled folder access. 1. On your Windows 10 device, open the Windows Security app. - 2. Select **Virus & threat protection**. - 3. Under **Ransomware protection**, select **Manage ransomware protection**. - 4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**. - 5. Do one of the following steps: - - To add a folder, select **+ Add a protected folder**. - - To remove a folder, select it, and then select **Remove**. > [!NOTE] From 9d86f926aa161d959dff7efdff5a67d091eb5e4a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 09:25:53 -0800 Subject: [PATCH 4/4] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ially-unwanted-apps-microsoft-defender-antivirus.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 15e0a33178..f56820cf7f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 02/01/2021 +ms.date: 02/03/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -112,21 +112,13 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw #### Use Group Policy to configure PUA protection 1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - 2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). - 3. Select the Group Policy Object you want to configure, and then choose **Edit**. - 4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. - 5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. - 6. Double-click **Configure detection for potentially unwanted applications**. - 7. Select **Enabled** to enable PUA protection. - 8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. - 9. Deploy your Group Policy object as you usually do. #### Use PowerShell cmdlets to configure PUA protection