diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index d064a375ca..dcf8eec173 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2728,6 +2728,7 @@ The following list shows the CSPs supported in HoloLens devices:
| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |  |
| [DMAcc CSP](dmacc-csp.md) |  |  |  |
| [DMClient CSP](dmclient-csp.md) |  |  |  |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) |  |  |  10 |
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |  |
| [NetworkProxy CSP](networkproxy-csp.md) |  |  |  |
| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) |  |  |  8|
@@ -2737,6 +2738,7 @@ The following list shows the CSPs supported in HoloLens devices:
| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
| [RemoteWipe CSP](remotewipe-csp.md) |  |  4 |  |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
+| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
| [Update CSP](update-csp.md) |  |  |  |
| [VPNv2 CSP](vpnv2-csp.md) |  |  |  |
| [WiFi CSP](wifi-csp.md) |  |  |  |
@@ -2745,7 +2747,9 @@ The following list shows the CSPs supported in HoloLens devices:
## CSPs supported in Microsoft Surface Hub
-- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**.
+- [Accounts CSP](accounts-csp.md)9
+ > [!NOTE]
+ > Support in Surface Hub is limited to **Domain\ComputerName**.
- [AccountManagement CSP](accountmanagement-csp.md)
- [APPLICATION CSP](application-csp.md)
- [CertificateStore CSP](certificatestore-csp.md)
@@ -2813,3 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices:
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
- 9 - Added in Windows 10 Team 2020 Update
+- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 26a28b9593..8042bad1d8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -24,10 +24,10 @@ ms.reviewer:
- Key trust
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
-Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
+Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 3e1ede3c5e..6c6a1ea7cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -152,7 +152,7 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo
> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.
-Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
+Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.
1. Configure Defender for Endpoint onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
index 298867cbc0..f311d48c09 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -27,25 +27,50 @@ ms.topic: article
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-There are three phases in deploying Defender for Endpoint:
-|Phase | Description |
-|:-------|:-----|
-| 
[Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Defender for Endpoint:
- Stakeholders and sign-off
- Environment considerations
- Access
- Adoption order
-| 
[Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:
- Validating the licensing
- Completing the setup wizard within the portal
- Network configuration|
-| 
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them.
+Microsoft Defender for Endpoint has the capabilities to effectively protect your enterprise from cyber threats.
+
+Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response.
+This solution provides guidance on the three phases of deployment. Each section corresponds to a separate article in this solution.
-The deployment guide will guide you through the recommended path in deploying Defender for Endpoint.
+
-If you're unfamiliar with the general deployment planning steps, check out the [Plan deployment](deployment-strategy.md) topic to get a high-level overview of the general deployment steps and methods.
+Regardless of the environment architecture and method of deployment you choose outlined in the [Plan deployment](deployment-strategy.md) guidance, this guide is going to support you in onboarding endpoints.
+## Prepare
+Learn about what you need to consider when deploying Defender for Endpoint such as stakeholder approvals, environment considerations, access permissions, and adoption order of capabilities.
-## In Scope
+## Setup
+Get guidance on the initial steps you need to take so that you can access the portal such as validating licensing, completing the setup wizard, and network configuration.
-The following is in scope for this deployment guide:
+## Onboard
+Learn how to make use of deployment rings, supported onboarding tools based on the type of endpoint, and configuring available capabilities.
+
+
+## Key capabilities
+
+This solution provides the following key capabilities:
+
+Capability | Description
+:---|:---
+Eliminate risks and reduce your attack surface| Use attack surface reduction to minimize the areas where your organization could be vulnerable to threats.
+Block sophisticated threats and malware | Defend against never-before-seen polymorphic and metamorphic malware and fileless and file-based threats with next-generation protection.
+Remediation at scale with automation | Automatically investigate alerts and remediate complex threats in minutes. Apply best practices and intelligent decision-making algorithms to determine whether a threat is active and what action to take.
+Discover vulnerabilities and misconfigurations in real time | Bring security and IT together with Microsoft Threat & Vulnerability Management to quickly discover, prioritize, and remediate vulnerabilities and misconfigurations.
+Get expert-level threat monitoring and analysis | Empower your security operations centers with Microsoft Threat Experts. Get deep knowledge, advanced threat monitoring, analysis, and support to identify critical threats in your unique environment.
+Detect and respond to advanced attacks with behavioral monitoring | Spot attacks and zero-day exploits using advanced behavioral analytics and machine learning.
+Cross-platform support | Microsoft Defender for Endpoint provides security for non-Windows platforms including Mac, Linux servers, and Android.
+Evaluate capabilities | Fully evaluate our capabilities with a few simple clicks in the Microsoft Defender for Endpoint evaluation lab.
+Streamline and integrate via APIs | Integrate Microsoft Defender for Endpoint with your security solutions and streamline and automate security workflows with rich APIs.
+Simplify endpoint security management | Use a single pane of glass for all endpoint security actions, such as endpoint configuration, deployment, and management with Microsoft Endpoint Manager.
+
+
+## Scope
+
+### In scope
- Use of Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities
@@ -59,10 +84,19 @@ The following is in scope for this deployment guide:
- Attack surface reduction
-## Out of scope
+### Out of scope
The following are out of scope of this deployment guide:
- Configuration of third-party solutions that might integrate with Defender for Endpoint
- Penetration testing in production environment
+
+
+
+
+## See also
+- [Phase 1: Prepare](prepare-deployment.md)
+- [Phase 2: Set up](production-deployment.md)
+- [Phase 3: Onboard](onboarding.md)
+- [Plan deployment](deployment-strategy.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
index 9c14158aa2..b7def4676f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
@@ -25,15 +25,14 @@ ms.topic: article
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
-Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Defender for Endpoint.
-These are the general steps you need to take to deploy Defender for Endpoint:
+Plan your Microsoft Defender for Endpoint deployment so that you can maximize the security capabilities within the suite and better protect your enterprise from cyber threats.
-
-- Identify architecture
-- Select deployment method
-- Configure capabilities
+This solution provides guidance on how to identify your environment architecture, select the type of deployment tool that best fits your needs, and guidance on how to configure capabilities.
+
+
+
## Step 1: Identify architecture
@@ -43,7 +42,7 @@ Depending on your environment, some tools are better suited for certain architec
Use the following material to select the appropriate Defender for Endpoint architecture that best suites your organization.
-|**Item**|**Description**|
+| Item | Description |
|:-----|:-----|
|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
[PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: - Cloud-native
- Co-management
- On-premise
- Evaluation and local onboarding
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/deployment-phases.png b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-phases.png
new file mode 100644
index 0000000000..0875ace467
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-phases.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/plan-deployment.png b/windows/security/threat-protection/microsoft-defender-atp/images/plan-deployment.png
new file mode 100644
index 0000000000..60313bb2da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/plan-deployment.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index 9e61246a70..7aa3fdcc1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -31,19 +31,26 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
## Before you begin:
1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant.
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
+
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**.
## Enable raw data streaming:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user.
-2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
-3. Click on **Add data export settings**.
-4. Choose a name for your new settings.
-5. Choose **Forward events to Azure Event Hubs**.
-6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
- In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
- 
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+
+3. Click on **Add data export settings**.
+
+4. Choose a name for your new settings.
+
+5. Choose **Forward events to Azure Event Hubs**.
+
+6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
+
+ In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
+
+ 
7. Choose the events you want to stream and click **Save**.
@@ -64,8 +71,11 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
```
- Each event hub message in Azure Event Hubs contains list of records.
+
- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
+
- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
## Data types mapping:
@@ -73,21 +83,22 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
To get the data types for event properties do the following:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+
2. Run the following query to get the data types mapping for each event:
-```
-{EventType}
-| getschema
-| project ColumnName, ColumnType
-
-```
+ ```
+ {EventType}
+ | getschema
+ | project ColumnName, ColumnType
+ ```
- Here is an example for Device Info event:
-
+ 
## Related topics
- [Overview of Advanced Hunting](advanced-hunting-overview.md)
- [Microsoft Defender for Endpoint streaming API](raw-data-export.md)
- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)
+- [Troubleshoot connectivity issues - Azure Event Hubs](https://docs.microsoft.com/azure/event-hubs/troubleshooting-guide)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index 804a1ff98e..8dae2a2358 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -31,19 +31,24 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
## Before you begin:
1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant.
+
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**.
-3. Go to **Settings > Advanced Features > Preview features** and turn Preview features **On**.
## Enable raw data streaming:
1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) with Global Admin user.
-2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
-3. Click on **Add data export settings**.
-4. Choose a name for your new settings.
-5. Choose **Forward events to Azure Storage**.
-6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
- 
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+
+3. Click on **Add data export settings**.
+
+4. Choose a name for your new settings.
+
+5. Choose **Forward events to Azure Storage**.
+
+6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
+
+ 
7. Choose the events you want to stream and click **Save**.
@@ -51,22 +56,25 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
- A blob container will be created for each event type:
-
+ 
- The schema of each row in a blob is the following JSON:
-```
-{
- "time": ""
- "tenantId": ""
- "category": ""
- "properties": { }
-}
-```
+ ```
+ {
+ "time": ""
+ "tenantId": ""
+ "category": ""
+ "properties": { }
+ }
+ ```
- Each blob contains multiple rows.
+
- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
+
- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
## Data types mapping:
@@ -74,18 +82,18 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
In order to get the data types for our events properties do the following:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+
2. Run the following query to get the data types mapping for each event:
-```
-{EventType}
-| getschema
-| project ColumnName, ColumnType
-
-```
+ ```
+ {EventType}
+ | getschema
+ | project ColumnName, ColumnType
+ ```
- Here is an example for Device Info event:
-
+ 
## Related topics
- [Overview of Advanced Hunting](advanced-hunting-overview.md)