deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'v-gmoor-fix-pr-4952' of https://github.com/MicrosoftDocs/windows-docs-pr into v-gmoor-fix-pr-4952

Browse Source
This commit is contained in:
Gary Moore
2021-03-22 17:14:09 -07:00
parent c07a32ac71 7dba133c20
commit 87a5b502bb
41 changed files with 1506 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
windows/client-management/mdm/TOC.md
View File

@ -159,15 +159,16 @@
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
#### [Policy CSP DDF file](policy-ddf-file.md)
#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)

33
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -13,7 +13,7 @@ author: lomayor
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a devices compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
@ -52,11 +52,11 @@ Two Azure AD MDM enrollment scenarios:
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [Configure Azure MFA as authentication provider with AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios is similar.
@ -64,7 +64,7 @@ Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the
> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure AD integrated enrollment
### MDM endpoints involved in Azure ADintegrated enrollment
Azure AD MDM enrollment is a two-step process:
@ -112,27 +112,39 @@ The keys used by the MDM application to request access tokens from Azure AD are
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Login to the Azure Management Portal using an admin account in your home tenant.
1. Log in to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
3. Click the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
4. Click the **Applications** tab.
5. In the drawer, click **Add**.
6. Click **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667)
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
### Add an on-premises MDM
@ -208,7 +220,7 @@ The following table shows the required information to create an entry in the Azu
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant.
There are no special requirements for adding on-premises MDM to the app gallery. There is a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance.
@ -347,7 +359,8 @@ The following claims are expected in the access token passed by Windows to the T
</tr>
</tbody>
</table>
<br/>
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
@ -355,7 +368,7 @@ To retrieve the list of group memberships for the user, you can use the [Azure A
Here's an example URL.
```console
```http
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@ -647,7 +660,7 @@ Alert sample:
## Determine when a user is logged in through polling
An alert is send to the MDM server in DM package\#1.
An alert is sent to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr

4
windows/client-management/mdm/euiccs-csp.md
View File

@ -25,6 +25,10 @@ eUICCs
--------IsActive
--------PPR1Allowed
--------PPR1AlreadySet
--------DownloadServers
------------ServerName
----------------DiscoveryState
----------------AutoEnable
--------Profiles
------------ICCID
----------------ServerName

13
windows/deployment/update/windows-update-resources.md
View File

@ -39,9 +39,18 @@ The following resources provide additional information about using Windows Updat
## How do I reset Windows Update components?
[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
- Try using the [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-for-windows-10-19bc41ca-ad72-ae67-af3c-89ce169755dd), which will analyze the situation and reset any components that need it.
- Try the steps in [Troubleshoot problems updating Windows 10](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-10-188c2b0f-10a7-d72f-65b8-32d177eb136c).
- Try the steps in [Fix Windows Update](https://support.microsoft.com/sbs/windows/fix-windows-update-errors-18b693b5-7818-5825-8a7e-2a4a37d6d787) errors.
If all else fails, try resetting the Windows Update Agent by running these commands from an elevated command prompt:
``` console
net stop wuauserv
rd /s /q %systemroot%\SoftwareDistribution
net start wuauserv
```
[Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
## Reset Windows Update components manually

2
windows/deployment/windows-10-subscription-activation.md
View File

@ -23,7 +23,7 @@ Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription
With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
## Subscription Activation for Windows 10 Enterprise

2
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -678,7 +678,7 @@ function CheckDriverCompat
if($verifier_state.ToString().Contains("No drivers are currently verified."))
{
LogAndConsole "Enabling Driver verifier"
verifier.exe /flags 0x02000000 /all /log.code_integrity
verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity
LogAndConsole "Enabling Driver Verifier and Rebooting system"
Log $verifier_state

8
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -81,7 +81,13 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
The following PowerShell command can be used to check all certificates in the NTAuth store:
```powershell
Certutil -viewstore -enterprise NTAuth
```
### Publish Certificate Templates to a Certificate Authority

10
windows/security/identity-protection/vpn/vpn-connection-type.md
View File

@ -42,6 +42,9 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
- [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
> [!NOTE]
> When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
- Automatic
@ -63,11 +66,13 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
![Available connection types](images/vpn-connection-intune.png)
> [!div class="mx-imgBorder"]
> ![Available connection types](images/vpn-connection-intune.png)
In Intune, you can also include custom XML for third-party plug-in profiles:
![Custom XML](images/vpn-custom-xml-intune.png)
> [!div class="mx-imgBorder"]
> ![Custom XML](images/vpn-custom-xml-intune.png)
## Related topics
@ -85,4 +90,3 @@ In Intune, you can also include custom XML for third-party plug-in profiles:

4
windows/security/threat-protection/TOC.md
View File

@ -253,6 +253,10 @@
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
##### [Device control]()
###### [Device control overview](microsoft-defender-atp/mac-device-control-overview.md)
###### [JAMF examples](microsoft-defender-atp/mac-device-control-jamf.md)
###### [Intune examples](microsoft-defender-atp/mac-device-control-intune.md)
##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
#### [Troubleshoot]()

3
windows/security/threat-protection/auditing/audit-file-system.md
View File

@ -21,6 +21,8 @@ ms.technology: mde
- Windows 10
- Windows Server 2016
> [!NOTE]
> For more details about applicability on older operating system versions, read the article [Audit File System](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
@ -61,4 +63,3 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,”
- [5051](event-5051.md)(-): A file was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.

24
windows/security/threat-protection/device-guard/memory-integrity.md
View File

@ -1,24 +0,0 @@
---
title: Memory integrity
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy.
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: levinec
ms.author: ellevin
ms.reviewer:
manager: dansimp
ms.technology: mde
---
# Memory integrity
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful security boundary that helps to block many types of malware from running in Windows 10 and Windows Server 2016 environments.
For more information about Windows Security, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).

2
windows/security/threat-protection/mbsa-removal-and-guidance.md
View File

@ -30,7 +30,7 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po
For example:
[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
[![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
[![PowerShell script](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.

15
windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
View File

@ -12,7 +12,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: ksarens
manager: dansimp
ms.date: 08/17/2020
ms.date: 03/19/2021
ms.technology: mde
---
@ -25,12 +25,11 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
> [!NOTE]
> You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
>
> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**.
> If you're running an updated Microsoft Defender Platform version, run `**MpCmdRun**` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
The utility has the following commands:
@ -68,7 +67,7 @@ MpCmdRun.exe -Scan -ScanType 2
|:----|:----|
| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again. <br> **Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)|
| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
@ -76,7 +75,9 @@ MpCmdRun.exe -Scan -ScanType 2
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
## Related topics
## See also
- [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
- [Manage Microsoft Defender Antivirus in your business](configuration-management-reference-microsoft-defender-antivirus.md)
- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

6
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
ms.date: 03/10/2021
ms.date: 03/19/2021
ms.technology: mde
---
@ -35,7 +35,7 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
>
> To see the most current engine, platform, and signature date, visit the [Microsoft security encyclopedia](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info).
> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
## Security intelligence updates
@ -48,7 +48,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes).
For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
Engine updates are included with security intelligence updates and are released on a monthly cadence.

6
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -32,11 +32,11 @@ ms.technology: mde
## Before you begin
> [!NOTE]
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to Microsoft Threat Experts - Targeted Attack Notification managed threat hunting service.
Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up.
If you're a Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries.
If you're a Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries.
## Apply for Microsoft Threat Experts - Targeted Attack Notifications service
If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender Security Center.
@ -78,7 +78,7 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
2. From the dashboard, select the same alert topic that you got from the email, to view the details.
## Subscribe to Microsoft Threat Experts - Experts on Demand
If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
This is available as a subscription service. If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.

4
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -47,10 +47,10 @@ To use either of these supported SIEM tools, you'll need to:
- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)
- Configure the supported SIEM tool:
- [Configure HP ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- [Configure Micro Focus ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
For more information on the list of fields exposed in the Detection API see, [Defender for Endpoint Detection fields](api-portal-mapping.md).
For more information on the list of fields exposed in the Detection API, see [Defender for Endpoint Detection fields](api-portal-mapping.md).

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 118 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 296 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 426 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 404 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

1
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -103,6 +103,7 @@ The following table lists commands for some of the most common scenarios. Run `m
|Group |Scenario |Command |
|----------------------|--------------------------------------------------------|-----------------------------------------------------------------------|
|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled\|disabled]` |
|Configuration |Turn on/off behavior monitoring |`mdatp config behavior-monitoring --value [enabled\|disabled]` |
|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled\|disabled]` |
|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled\|disabled]` |
|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled\|disabled]` |

4
windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
View File

@ -105,8 +105,8 @@ getfile c:\Users\user\Desktop\work.txt -auto
>
> The following file types **cannot** be downloaded using this command from within Live Response:
>
> * [Reparse point files](/windows/desktop/fileio/reparse-points/)
> * [Sparse files](/windows/desktop/fileio/sparse-files/)
> * [Reparse point files](https://docs.microsoft.com/windows/win32/fileio/reparse-points)
> * [Sparse files](https://docs.microsoft.com/windows/win32/fileio/sparse-files)
> * Empty files
> * Virtual files, or files that are not fully present locally
>

426
windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md Normal file
View File

@ -0,0 +1,426 @@
---
title: Examples of device control policies for Intune
description: Learn how to use device control policies using examples that can be used with Intune.
keywords: microsoft, defender, atp, mac, device, control, usb, removable, media, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
ms.mktglfcycl: security
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.technology: mde
---
# Examples of device control policies for Intune
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using Intune to manage devices in your enterprise.
## Restrict access to all removable media
The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be disallowed.
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Set all removable media to be read-only
The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Disallow program execution from removable media
The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Restrict all devices from specific vendors
The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
<key>4525</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Restrict specific devices identified by vendor ID, product ID, and serial number
The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>products</key>
<dict>
<key>1000</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>serialNumbers</key>
<dict>
<key>04ZSSMHI2O7WBVOA</key>
<array>
<string>none</string>
</array>
<key>04ZSSMHI2O7WBVOB</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Related topics
- [Overview of device control for macOS](mac-device-control-overview.md)

221
windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md Normal file
View File

@ -0,0 +1,221 @@
---
title: Examples of device control policies for JAMF
description: Learn how to use device control policies using examples that can be used with JAMF.
keywords: microsoft, defender, endpoint, atp, mac, device, control, usb, removable, media, jamf
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
ms.mktglfcycl: security
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.technology: mde
---
# Examples of device control policies for JAMF
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using JAMF to manage devices in your enterprise.
## Restrict access to all removable media
The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be prohibited.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</plist>
```
## Set all removable media to be read-only
The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
</array>
</dict>
</dict>
</dict>
</plist>
```
## Disallow program execution from removable media
The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
</array>
</dict>
</dict>
</dict>
</plist>
```
## Restrict all devices from specific vendors
The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
<key>4525</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</plist>
```
## Restrict specific devices identified by vendor ID, product ID, and serial number
The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>products</key>
<dict>
<key>1000</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>serialNumbers</key>
<dict>
<key>04ZSSMHI2O7WBVOA</key>
<array>
<string>none</string>
</array>
<key>04ZSSMHI2O7WBVOB</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</plist>
```
## Related topics
- [Overview of device control for macOS](mac-device-control-overview.md)

370
windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md Normal file
View File

@ -0,0 +1,370 @@
---
title: Device control for macOS
description: Learn how to configure Microsoft Defender for Endpoint for Mac to reduce threats from removable storage such as USB devices.
keywords: microsoft, defender, atp, mac, device, control, usb, removable, media
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
ms.mktglfcycl: security
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.technology: mde
---
# Device control for macOS
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Requirements
Device control for macOS has the following prerequisites:
>[!div class="checklist"]
> - MicrosoftDefenderfor Endpointentitlement(can betrial)
> - Minimum OS version: macOS 10.15.4 or higher
> - Minimum product version: 101.24.59
> - Your device must be running with system extensions (this is the default on macOS 11 Big Sur).
>
> You can check if your device is running on system extensions by running the following command and verify that it is printing `endpoint_security_extension` to the console:
>
> ```bash
> mdatp health --field real_time_protection_subsystem
> ```
> - Your device must be in `Beta` (previously called `InsiderFast`) Microsoft AutoUpdate update channel. For more information, see[Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
>
> You can check the update channel using the following command:
>
> ```bash
> mdatp health --field release_ring
> ```
>
> If the above command does not print either `Beta` or `InsiderFast`, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
>
> ```bash
> defaults write com.microsoft.autoupdate2 ChannelName -string Beta
> ```
>
> Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see[Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
## Device control policy
To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization.
The device control policy is included in the configuration profile used to configure all other product settings. For more information, see [Configuration profile structure](mac-preferences.md#configuration-profile-structure).
Within the configuration profile, the device control policy is defined in the following section:
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | deviceControl |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
The device control policy can be used to:
- [Customize the URL target for notifications raised by device control](#customize-url-target-for-notifications-raised-by-device-control)
- [Allow or block removable devices](#allow-or-block-removable-devices)
### Customize URL target for notifications raised by device control
When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user.
![Device control notification](images/mac-device-control-notification.png)
When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | navigationTarget |
| **Data type** | String |
| **Comments** | If not defined, the product uses a default URL pointing to a generic page explaining the action taken by the product. |
### Allow or block removable devices
The removable media section of the device control policy is used to restrict access to removable media.
> [!NOTE]
> The following types of removable media are currently supported and can be included in the policy: USB storage devices.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | removableMediaPolicy |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices.
```
|-- policy top level
|-- vendor 1
|-- product 1
|-- serial number 1
...
|-- serial number N
...
|-- product N
...
|-- vendor N
```
For information on how to find the device identifiers, see [Look up device identifiers](#look-up-device-identifiers).
The policy is evaluated from the most specific entry to the most general one. Meaning, when a device is plugged in, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top level, which is the default when a device does not match any other entry in the policy.
#### Policy enforcement level
Under the removable media section, there is an option to set the enforcement level, which can take one of the following values:
- `audit` - Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy.
- `block` - Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | enforcementLevel |
| **Data type** | String |
| **Possible values** | audit (default) <br/> block |
#### Default permission level
At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy.
This setting can be set to:
- `none` - No operations can be performed on the device
- A combination of the following values:
- `read` - Read operations are permitted on the device
- `write` - Write operations are permitted on the device
- `execute` - Execute operations are permitted on the device
> [!NOTE]
> If `none` is present in the permission level, any other permissions (`read`, `write`, or `execute`) will be ignored.
> [!NOTE]
> The `execute` permission only refers to execution of Mach-O binaries. It does not include execution of scripts or other types of payloads.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | permission |
| **Data type** | Array of strings |
| **Possible values** | none <br/> read <br/> write <br/> execute |
#### Restrict removable media by vendor, product, and serial number
As described in [Allow or block removable devices](#allow-or-block-removable-devices), removable media such as USB devices can be identified by the vendor ID, product ID, and serial number.
At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level.
The `vendors` dictionary contains one or more entries, with each entry being identified by the vendor ID.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | vendors |
| **Data type** | Dictionary (nested preference) |
For each vendor, you can specify the desired permission level for devices from that vendor.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | permission |
| **Data type** | Array of strings |
| **Possible values** | Same as [Default permission level](#default-permission-level) |
Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The `products` dictionary contains one or more entries, with each entry being identified by the product ID.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | products |
| **Data type** | Dictionary (nested preference) |
For each product, you can specify the desired permission level for that product.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | permission |
| **Data type** | Array of strings |
| **Possible values** | Same as [Default permission level](#default-permission-level) |
Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined.
The `serialNumbers` dictionary contains one or more entries, with each entry being identified by the serial number.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | serialNumbers |
| **Data type** | Dictionary (nested preference) |
For each serial number, you can specify the desired permission level.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | permission |
| **Data type** | Array of strings |
| **Possible values** | Same as [Default permission level](#default-permission-level) |
#### Example device control policy
The following example shows how all of the above concepts can be combined into a device control policy. In the following example, note the hierarchical nature of the removable media policy.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>navigationTarget</key>
<string>[custom URL for notifications]</string>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>[enforcement level]</string> <!-- audit / block -->
<key>permission</key>
<array>
<string>[permission]</string> <!-- none / read / write / execute -->
<!-- other permissions -->
</array>
<key>vendors</key>
<dict>
<key>[vendor id]</key>
<dict>
<key>permission</key>
<array>
<string>[permission]</string> <!-- none / read / write / execute -->
<!-- other permissions -->
</array>
<key>products</key>
<dict>
<key>[product id]</key>
<dict>
<key>permission</key>
<array>
<string>[permission]</string> <!-- none / read / write / execute -->
<!-- other permissions -->
</array>
<key>serialNumbers</key>
<dict>
<key>[serial-number]</key>
<array>
<string>[permission]</string> <!-- none / read / write / execute -->
<!-- other permissions -->
</array>
<!-- other serial numbers -->
</dict>
</dict>
<!-- other products -->
</dict>
</dict>
<!-- other vendors -->
</dict>
</dict>
</dict>
</dict>
</plist>
```
We have included more examples of device control policies in the following documents:
- [Examples of device control policies for Intune](mac-device-control-intune.md)
- [Examples of device control policies for JAMF](mac-device-control-jamf.md)
#### Look up device identifiers
To find the vendor ID, product ID, and serial number of a USB device:
1. Log into a Mac device.
1. Plug in the USB device for which you want to look up the identifiers.
1. In the top-level menu of macOS, select **About This Mac**.
![About this Mac](images/mac-device-control-lookup-1.png)
1. Select **System Report**.
![System Report](images/mac-device-control-lookup-2.png)
1. From the left column, select **USB**.
![View of all USB devices](images/mac-device-control-lookup-3.png)
1. Under **USB Device Tree**, navigate to the USB device that you plugged in.
![Details of a USB device](images/mac-device-control-lookup-4.png)
1. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`.
#### Discover USB devices in your organization
You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. These events can be helpful to identify suspicious usage activity or perform internal investigations.
```
DeviceEvents
| where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"
| where DeviceId == "<device ID>"
```
## Device control policy deployment
The device control policy must be included next to the other product settings, as described in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
This profile can be deployed using the instructions listed in [Configuration profile deployment](mac-preferences.md#configuration-profile-deployment).
## Troubleshooting tips
After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal:
```bash
mdatp device-control removable-media policy list
```
This command will print to standard output the device control policy that the product is using. In case this prints `Policy is empty`, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document.
On a device where the policy has been delivered successfully and where there are one or more devices plugged in, you can run the following command to list all devices and the effective permissions applied to them.
```bash
mdatp device-control removable-media devices list
```
Example of output:
```Output
.Device(s)
|-o Name: Untitled 1, Permission ["read", "execute"]
| |-o Vendor: General "fff0"
| |-o Product: USB Flash Disk "1000"
| |-o Serial number: "04ZSSMHI2O7WBVOA"
| |-o Mount point: "/Volumes/TESTUSB"
```
In the above example, there is only one removable media device plugged in and it has `read` and `execute` permissions, according to the device control policy that was delivered to the device.
## Related topics
- [Examples of device control policies for Intune](mac-device-control-intune.md)
- [Examples of device control policies for JAMF](mac-device-control-jamf.md)

215
windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
View File

@ -75,12 +75,12 @@ You'll need to take the following steps:
1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
![Image of file](images/plist-onboarding-file.png)
![Image of WindowsDefenderATPOnboarding file](images/plist-onboarding-file.png)
2. In the Jamf Pro dashboard, select **New**.
![Image of Jamf Pro dashboard](images/jamf-pro-configure-profile.png)
![Image of creating a new Jamf Pro dashboard](images/jamf-pro-configure-profile.png)
3. Enter the following details:
@ -93,13 +93,13 @@ You'll need to take the following steps:
4. In **Application & Custom Settings** select **Configure**.
![Image of configuration profile](images/jamfpro-mac-profile.png)
![Image of configurate app and custom settings](images/jamfpro-mac-profile.png)
5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
![Image of upload file](images/jamfpro-plist-upload.png)
![Image of jamfpro plist upload file](images/jamfpro-plist-upload.png)
![Image of upload file](images/jamfpro-plist-file.png)
![Image of upload file property List file](images/jamfpro-plist-file.png)
7. Select **Open** and select the onboarding file.
@ -118,17 +118,17 @@ You'll need to take the following steps:
![Image of target computers](images/jamfpro-target-computer.png)
![Image of target computers](images/jamfpro-targets.png)
![Image of targets](images/jamfpro-targets.png)
11. Select **Save**.
![Image of target computers](images/jamfpro-deployment-target.png)
![Image of deployment target computers](images/jamfpro-deployment-target.png)
![Image of target computers selected](images/jamfpro-target-selected.png)
12. Select **Done**.
![Image of target computers](images/jamfpro-target-group.png)
![Image of target group computers](images/jamfpro-target-group.png)
![List of configuration profiles](images/jamfpro-configuration-policies.png)
@ -268,7 +268,7 @@ You'll need to take the following steps:
3. In the Jamf Pro dashboard, select **General**.
![Image of Jamf Pro dashboard](images/644e0f3af40c29e80ca1443535b2fe32.png)
![Image of the new Jamf Pro dashboard](images/644e0f3af40c29e80ca1443535b2fe32.png)
4. Enter the following details:
@ -280,64 +280,64 @@ You'll need to take the following steps:
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
![Image of configuration settings](images/3160906404bc5a2edf84d1d015894e3b.png)
![Image of MDATP MDAV configuration settings](images/3160906404bc5a2edf84d1d015894e3b.png)
5. In **Application & Custom Settings** select **Configure**.
![Image of configuration settings](images/e1cc1e48ec9d5d688087b4d771e668d2.png)
![Image of app and custom settings](images/e1cc1e48ec9d5d688087b4d771e668d2.png)
6. Select **Upload File (PLIST file)**.
![Image of configuration settings](images/6f85269276b2278eca4bce84f935f87b.png)
![Image of configuration settings plist file](images/6f85269276b2278eca4bce84f935f87b.png)
7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
![Image of configuration settings](images/db15f147dd959e872a044184711d7d46.png)
![Image of configuration settings preferences domain](images/db15f147dd959e872a044184711d7d46.png)
8. Select **Choose File**.
![Image of configuration settings](images/526e978761fc571cca06907da7b01fd6.png)
![Image of configuration settings choose file](images/526e978761fc571cca06907da7b01fd6.png)
9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
![Image of configuration settings](images/98acea3750113b8dbab334296e833003.png)
![Image of mdatpmdav configuration settings](images/98acea3750113b8dbab334296e833003.png)
10. Select **Upload**.
![Image of configuration settings](images/0adb21c13206861ba9b30a879ade93d3.png)
![Image of configuration setting upload](images/0adb21c13206861ba9b30a879ade93d3.png)
![Image of configuration settings](images/f624de59b3cc86e3e2d32ae5de093e02.png)
![Image of configuration settings upload image](images/f624de59b3cc86e3e2d32ae5de093e02.png)
>[!NOTE]
>If you happen to upload the Intune file, you'll get the following error:<br>
>![Image of configuration settings](images/8e69f867664668796a3b2904896f0436.png)
>![Image of configuration settings intune file upload](images/8e69f867664668796a3b2904896f0436.png)
11. Select **Save**.
![Image of configuration settings](images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png)
![Image of configuration settings Save image](images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png)
12. The file is uploaded.
![Image of configuration settings](images/33e2b2a1611fdddf6b5b79e54496e3bb.png)
![Image of configuration settings file uploaded image](images/33e2b2a1611fdddf6b5b79e54496e3bb.png)
![Image of configuration settings](images/a422e57fe8d45689227e784443e51bd1.png)
![Image of configuration settings file uploaded](images/a422e57fe8d45689227e784443e51bd1.png)
13. Select the **Scope** tab.
![Image of configuration settings](images/9fc17529e5577eefd773c658ec576a7d.png)
![Image of configuration settings scope](images/9fc17529e5577eefd773c658ec576a7d.png)
14. Select **Contoso's Machine Group**.
15. Select **Add**, then select **Save**.
![Image of configuration settings](images/cf30438b5512ac89af1d11cbf35219a6.png)
![Image of configuration settings addsav](images/cf30438b5512ac89af1d11cbf35219a6.png)
![Image of configuration settings](images/6f093e42856753a3955cab7ee14f12d9.png)
![Image of configuration settings save add](images/6f093e42856753a3955cab7ee14f12d9.png)
16. Select **Done**. You'll see the new **Configuration profile**.
![Image of configuration settings](images/dd55405106da0dfc2f50f8d4525b01c8.png)
![Image of configuration settings config profile image](images/dd55405106da0dfc2f50f8d4525b01c8.png)
## Step 4: Configure notifications settings
@ -360,45 +360,45 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
![Image of configuration settings](images/c9820a5ff84aaf21635c04a23a97ca93.png)
![Image of configuration settings mdatpmdav](images/c9820a5ff84aaf21635c04a23a97ca93.png)
5. Select **Upload File (PLIST file)**.
![Image of configuration settings](images/7f9138053dbcbf928e5182ee7b295ebe.png)
![Image of configuration settings upload plistfile](images/7f9138053dbcbf928e5182ee7b295ebe.png)
6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
![Image of configuration settings](images/4bac6ce277aedfb4a674f2d9fcb2599a.png)
![Image of configuration settings mdatpmdav notsettings](images/4bac6ce277aedfb4a674f2d9fcb2599a.png)
![Image of configuration settings](images/20e33b98eb54447881dc6c89e58b890f.png)
![Image of configuration settings mdatpmdav notifsettings](images/20e33b98eb54447881dc6c89e58b890f.png)
7. Select **Open** > **Upload**.
![Image of configuration settings](images/7697c33b9fd376ae5a8023d01f9d3857.png)
![Image of configuration settings upl img](images/7697c33b9fd376ae5a8023d01f9d3857.png)
![Image of configuration settings](images/2bda9244ec25d1526811da4ea91b1c86.png)
![Image of configuration settings upl image](images/2bda9244ec25d1526811da4ea91b1c86.png)
8. Select the **Scope** tab, then select **Add**.
![Image of configuration settings](images/441aa2ecd36abadcdd8aed03556080b5.png)
![Image of configuration settings scope add](images/441aa2ecd36abadcdd8aed03556080b5.png)
9. Select **Contoso's Machine Group**.
10. Select **Add**, then select **Save**.
![Image of configuration settings](images/09a275e321268e5e3ac0c0865d3e2db5.png)
![Image of configuration settings contoso machine grp save](images/09a275e321268e5e3ac0c0865d3e2db5.png)
![Image of configuration settings](images/4d2d1d4ee13d3f840f425924c3df0d51.png)
![Image of configuration settings add save](images/4d2d1d4ee13d3f840f425924c3df0d51.png)
11. Select **Done**. You'll see the new **Configuration profile**.
![Image of configuration setting](images/633ad26b8bf24ec683c98b2feb884bdf.png)
![Image of configuration setting done img](images/633ad26b8bf24ec683c98b2feb884bdf.png)
## Step 5: Configure Microsoft AutoUpdate (MAU)
@ -410,7 +410,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
<plist version="1.0">
<dict>
<key>ChannelName</key>
<string>Production</string>
<string>Current</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
@ -427,7 +427,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
3. In the Jamf Pro dashboard, select **General**.
![Image of configuration setting](images/eaba2a23dd34f73bf59e826217ba6f15.png)
![Image of configuration setting general image](images/eaba2a23dd34f73bf59e826217ba6f15.png)
4. Enter the following details:
@ -441,54 +441,54 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
5. In **Application & Custom Settings** select **Configure**.
![Image of configuration setting](images/1f72e9c15eaafcabf1504397e99be311.png)
![Image of configuration setting app and custom settings](images/1f72e9c15eaafcabf1504397e99be311.png)
6. Select **Upload File (PLIST file)**.
![Image of configuration setting](images/1213872db5833aa8be535da57653219f.png)
![Image of configuration setting plist](images/1213872db5833aa8be535da57653219f.png)
7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
![Image of configuration setting](images/1213872db5833aa8be535da57653219f.png)
![Image of configuration setting pref domain](images/1213872db5833aa8be535da57653219f.png)
8. Select **Choose File**.
![Image of configuration setting](images/335aff58950ce62d1dabc289ecdce9ed.png)
![Image of configuration setting choosefile](images/335aff58950ce62d1dabc289ecdce9ed.png)
9. Select **MDATP_MDAV_MAU_settings.plist**.
![Image of configuration setting](images/a26bd4967cd54bb113a2c8d32894c3de.png)
![Image of configuration setting mdatpmdavmau settings](images/a26bd4967cd54bb113a2c8d32894c3de.png)
10. Select **Upload**.
![Image of configuration setting](images/4239ca0528efb0734e4ca0b490bfb22d.png)
![Image of configuration setting uplimage](images/4239ca0528efb0734e4ca0b490bfb22d.png)
![Image of configuration setting](images/4ec20e72c8aed9a4c16912e01692436a.png)
![Image of configuration setting uplimg](images/4ec20e72c8aed9a4c16912e01692436a.png)
11. Select **Save**.
![Image of configuration setting](images/253274b33e74f3f5b8d475cf8692ce4e.png)
![Image of configuration setting saveimg](images/253274b33e74f3f5b8d475cf8692ce4e.png)
12. Select the **Scope** tab.
![Image of configuration setting](images/10ab98358b2d602f3f67618735fa82fb.png)
![Image of configuration setting scopetab](images/10ab98358b2d602f3f67618735fa82fb.png)
13. Select **Add**.
![Image of configuration setting](images/56e6f6259b9ce3c1706ed8d666ae4947.png)
![Image of configuration setting addimg1](images/56e6f6259b9ce3c1706ed8d666ae4947.png)
![Image of configuration setting](images/38c67ee1905c4747c3b26c8eba57726b.png)
![Image of configuration setting addimg2](images/38c67ee1905c4747c3b26c8eba57726b.png)
![Image of configuration setting](images/321ba245f14743c1d5d51c15e99deecc.png)
![Image of configuration setting addimg3](images/321ba245f14743c1d5d51c15e99deecc.png)
14. Select **Done**.
![Image of configuration setting](images/ba44cdb77e4781aa8b940fb83e3c21f7.png)
![Image of configuration setting doneimage](images/ba44cdb77e4781aa8b940fb83e3c21f7.png)
## Step 6: Grant full disk access to Microsoft Defender for Endpoint
1. In the Jamf Pro dashboard, select **Configuration Profiles**.
![Image of configuration setting](images/264493cd01e62c7085659d6fdc26dc91.png)
![Image of configuration setting config profile](images/264493cd01e62c7085659d6fdc26dc91.png)
2. Select **+ New**.
@ -502,11 +502,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Level: Computer level
![Image of configuration setting](images/ba3d40399e1a6d09214ecbb2b341923f.png)
![Image of configuration setting general](images/ba3d40399e1a6d09214ecbb2b341923f.png)
4. In **Configure Privacy Preferences Policy Control** select **Configure**.
![Image of configuration setting](images/715ae7ec8d6a262c489f94d14e1e51bb.png)
![Image of configuration privacy policy control](images/715ae7ec8d6a262c489f94d14e1e51bb.png)
5. In **Privacy Preferences Policy Control**, enter the following details:
@ -514,12 +514,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Identifier Type: Bundle ID
- Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
![Image of configuration setting](images/22cb439de958101c0a12f3038f905b27.png)
6. Select **+ Add**.
![Image of configuration setting](images/bd93e78b74c2660a0541af4690dd9485.png)
![Image of configuration setting add system policy all files](images/bd93e78b74c2660a0541af4690dd9485.png)
- Under App or service: Set to **SystemPolicyAllFiles**
@ -527,11 +526,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
7. Select **Save** (not the one at the bottom right).
![Image of configuration setting](images/6de50b4a897408ddc6ded56a09c09fe2.png)
![Image of configuration setting save images](images/6de50b4a897408ddc6ded56a09c09fe2.png)
8. Click the `+` sign next to **App Access** to add a new entry.
![Image of configuration setting](images/tcc-add-entry.png)
![Image of configuration setting app access](images/tcc-add-entry.png)
9. Enter the following details:
@ -541,7 +540,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
10. Select **+ Add**.
![Image of configuration setting](images/tcc-epsext-entry.png)
![Image of configuration setting tcc epsext entry](images/tcc-epsext-entry.png)
- Under App or service: Set to **SystemPolicyAllFiles**
@ -549,19 +548,19 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
11. Select **Save** (not the one at the bottom right).
![Image of configuration setting](images/tcc-epsext-entry2.png)
![Image of configuration setting tcc epsext image2](images/tcc-epsext-entry2.png)
12. Select the **Scope** tab.
![Image of configuration setting](images/2c49b16cd112729b3719724f581e6882.png)
![Image of configuration setting scope](images/2c49b16cd112729b3719724f581e6882.png)
13. Select **+ Add**.
![Image of configuration setting](images/57cef926d1b9260fb74a5f460cee887a.png)
![Image of configuration setting addimage](images/57cef926d1b9260fb74a5f460cee887a.png)
14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
![Image of configuration setting](images/368d35b3d6179af92ffdbfd93b226b69.png)
![Image of configuration setting contoso machinegrp](images/368d35b3d6179af92ffdbfd93b226b69.png)
15. Select **Add**.
@ -569,9 +568,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
17. Select **Done**.
![Image of configuration setting](images/809cef630281b64b8f07f20913b0039b.png)
![Image of configuration setting donimg](images/809cef630281b64b8f07f20913b0039b.png)
![Image of configuration setting](images/6c8b406ee224335a8c65d06953dc756e.png)
![Image of configuration setting donimg2](images/6c8b406ee224335a8c65d06953dc756e.png)
## Step 7: Approve Kernel extension for Microsoft Defender for Endpoint
@ -590,11 +589,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically
- Level: Computer Level
![Image of configuration settings](images/24e290f5fc309932cf41f3a280d22c14.png)
![Image of configuration settings mdatpmdav kernel](images/24e290f5fc309932cf41f3a280d22c14.png)
3. In **Configure Approved Kernel Extensions** select **Configure**.
![Image of configuration settings](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
![Image of configuration settings approved kernel ext](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
4. In **Approved Kernel Extensions** Enter the following details:
@ -602,11 +601,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Display Name: Microsoft Corp.
- Team ID: UBF8T346G9
![Image of configuration settings](images/39cf120d3ac3652292d8d1b6d057bd60.png)
![Image of configuration settings appr kernel extension](images/39cf120d3ac3652292d8d1b6d057bd60.png)
5. Select the **Scope** tab.
![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
![Image of configuration settings scope tab img](images/0df36fc308ba569db204ee32db3fb40a.png)
6. Select **+ Add**.
@ -614,15 +613,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
8. Select **+ Add**.
![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
![Image of configuration settings add images](images/0dde8a4c41110dbc398c485433a81359.png)
9. Select **Save**.
![Image of configuration settings](images/0add8019b85a453b47fa5c402c72761b.png)
![Image of configuration settings saveimag](images/0add8019b85a453b47fa5c402c72761b.png)
10. Select **Done**.
![Image of configuration settings](images/1c9bd3f68db20b80193dac18f33c22d0.png)
![Image of configuration settings doneimag](images/1c9bd3f68db20b80193dac18f33c22d0.png)
## Step 8: Approve System extensions for Microsoft Defender for Endpoint
@ -641,11 +640,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically
- Level: Computer Level
![Image of configuration settings](images/sysext-new-profile.png)
![Image of configuration settings sysext new prof](images/sysext-new-profile.png)
3. In **System Extensions** select **Configure**.
![Image of configuration settings](images/sysext-configure.png)
![Image of configuration settings sysext config](images/sysext-configure.png)
4. In **System Extensions** enter the following details:
@ -656,11 +655,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- **com.microsoft.wdav.epsext**
- **com.microsoft.wdav.netext**
![Image of configuration settings](images/sysext-configure2.png)
![Image of configuration settings sysextconfig2](images/sysext-configure2.png)
5. Select the **Scope** tab.
![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
![Image of configuration settings scopeimage](images/0df36fc308ba569db204ee32db3fb40a.png)
6. Select **+ Add**.
@ -668,15 +667,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
8. Select **+ Add**.
![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
![Image of configuration settings addima](images/0dde8a4c41110dbc398c485433a81359.png)
9. Select **Save**.
![Image of configuration settings](images/sysext-scope.png)
![Image of configuration settings sysext scope](images/sysext-scope.png)
10. Select **Done**.
![Image of configuration settings](images/sysext-final.png)
![Image of configuration settings sysext-final](images/sysext-final.png)
## Step 9: Configure Network Extension
@ -704,19 +703,19 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
![Image of upload window](images/netext-choose-file.png)
![Image of upload window netext choose file](images/netext-choose-file.png)
6. Select **Upload**.
![Image of upload window](images/netext-upload-file2.png)
![Image of upload window netext upload file2](images/netext-upload-file2.png)
7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
![Image of new configuration profile](images/netext-profile-page.png)
![Image of new configuration profile netext profile page](images/netext-profile-page.png)
8. Select the **Scope** tab.
![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
![Image of configuration settings sco tab](images/0df36fc308ba569db204ee32db3fb40a.png)
9. Select **+ Add**.
@ -724,15 +723,15 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
11. Select **+ Add**.
![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
![Image of configuration settings adim](images/0dde8a4c41110dbc398c485433a81359.png)
12. Select **Save**.
![Image of configuration settings](images/netext-scope.png)
![Image of configuration settings savimg netextscop](images/netext-scope.png)
13. Select **Done**.
![Image of configuration settings](images/netext-final.png)
![Image of configuration settings netextfinal](images/netext-final.png)
## Step 10: Schedule scans with Microsoft Defender for Endpoint for Mac
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
@ -741,22 +740,22 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
1. Navigate to where you saved `wdav.pkg`.
![Image of file explorer](images/8dde76b5463047423f8637c86b05c29d.png)
![Image of file explorer wdav pkg](images/8dde76b5463047423f8637c86b05c29d.png)
2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
![Image of file explorer](images/fb2220fed3a530f4b3ef36f600da0c27.png)
![Image of file explorer1 wdavmdmpkg](images/fb2220fed3a530f4b3ef36f600da0c27.png)
3. Open the Jamf Pro dashboard.
![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png)
![Image of configuration settings jamfpro](images/990742cd9a15ca9fdd37c9f695d1b9f4.png)
4. Select your computer and click the gear icon at the top, then select **Computer Management**.
![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png)
![Image of configuration settings compmgmt](images/b6d671b2f18b89d96c1c8e2ea1991242.png)
5. In **Packages**, select **+ New**.
![A picture containing bird Description automatically generated](images/57aa4d21e2ccc65466bf284701d4e961.png)
![A picture containing bird Description automatically generated package new](images/57aa4d21e2ccc65466bf284701d4e961.png)
6. In **New Package** Enter the following details:
@ -765,7 +764,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
- Category: None (default)
- Filename: Choose File
![Image of configuration settings](images/21de3658bf58b1b767a17358a3f06341.png)
![Image of configuration settings general tab](images/21de3658bf58b1b767a17358a3f06341.png)
Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
@ -779,75 +778,75 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
**Limitations tab**<br> Keep default values.
![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png)
![Image of configuration settings limitation tab](images/56dac54634d13b2d3948ab50e8d3ef21.png)
8. Select **Save**. The package is uploaded to Jamf Pro.
![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
![Image of configuration settings pack upl jamf pro](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
It can take a few minutes for the package to be available for deployment.
![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
![Image of configuration settings pack upl](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
9. Navigate to the **Policies** page.
![Image of configuration settings](images/f878f8efa5ebc92d069f4b8f79f62c7f.png)
![Image of configuration settings polocies](images/f878f8efa5ebc92d069f4b8f79f62c7f.png)
10. Select **+ New** to create a new policy.
![Image of configuration settings](images/847b70e54ed04787e415f5180414b310.png)
![Image of configuration settings new policy](images/847b70e54ed04787e415f5180414b310.png)
11. In **General** Enter the following details:
- Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
![Image of configuration settings](images/625ba6d19e8597f05e4907298a454d28.png)
![Image of configuration settingsmdatponboard ](images/625ba6d19e8597f05e4907298a454d28.png)
12. Select **Recurring Check-in**.
![Image of configuration settings](images/68bdbc5754dfc80aa1a024dde0fce7b0.png)
![Image of configuration settings recur checkin](images/68bdbc5754dfc80aa1a024dde0fce7b0.png)
13. Select **Save**.
14. Select **Packages > Configure**.
![Image of configuration settings](images/8fb4cc03721e1efb4a15867d5241ebfb.png)
![Image of configuration settings pack configure](images/8fb4cc03721e1efb4a15867d5241ebfb.png)
15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
![Image of configuration settings MDATP and MDA add](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
16. Select **Save**.
![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png)
![Image of configuration settingssavimg](images/9d6e5386e652e00715ff348af72671c6.png)
17. Select the **Scope** tab.
![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
![Image of configuration settings scptab](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
18. Select the target computers.
![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png)
![Image of configuration settings tgtcomp](images/6eda18a64a660fa149575454e54e7156.png)
**Scope**
Select **Add**.
![Image of configuration settings](images/1c08d097829863778d562c10c5f92b67.png)
![Image of configuration settings ad1img](images/1c08d097829863778d562c10c5f92b67.png)
![Image of configuration settings](images/216253cbfb6ae738b9f13496b9c799fd.png)
![Image of configuration settings ad2img](images/216253cbfb6ae738b9f13496b9c799fd.png)
**Self-Service**
![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
![Image of configuration settings selfservice](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
19. Select **Done**.
![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
![Image of configuration settings do1img](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
![Image of configuration settings](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)
![Image of configuration settings do2img](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)

98
windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
View File

@ -43,7 +43,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint for Mac is contributing to the performance issues.
If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
- From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**.
@ -55,10 +55,102 @@ The following steps can be used to troubleshoot and mitigate these issues:
mdatp config real-time-protection --value disabled
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, please contact customer support for further instructions and mitigation.
2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
3. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
1. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac.
> [!NOTE]
> This feature is available in version 100.90.70 or newer.
This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
mdatp config real-time-protection-statistics --value enabled
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
mdatp health --field real_time_protection_enabled
```
Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it:
```bash
mdatp config real-time-protection --value enabled
```
```output
Configuration property updated
```
To collect current statistics, run:
```bash
mdatp config real-time-protection --value enabled
```
> [!NOTE]
> Using **--output json** (note the double dash) ensures that the output format is ready for parsing.
The output of this command will show all processes and their associated scan activity.
1. On your Mac system, download the sample Python parser high_cpu_parser.py using the command:
```bash
wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
```
The output of this command should be similar to the following:
```Output
--2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.
mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1020 [text/plain]
Saving to: 'high_cpu_parser.py'
100%[===========================================>] 1,020 --.-K/s in
0s
```
1. Next, type the following commands:
```bash
chmod +x high_cpu_parser.py
```
```bash
cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log
```
The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact.
For example, the output of the command will be something like the below:
```output
... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10
27432 None 76703
73467 actool 1249
73914 xcodebuild 1081
73873 bash 1050
27475 None 836
1 launchd 407
73468 ibtool 344
549 telemetryd_v1 325
4764 None 228
125 CrashPlanService 164
```
To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
> [!NOTE]
> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
1. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
See [Configure and validate exclusions for Microsoft Defender for Endpoint for Mac](mac-exclusions.md) for details.

2
windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
View File

@ -55,7 +55,7 @@ These steps assume you already have Defender for Endpoint running on your device
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
```bash
defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast
defaults write com.microsoft.autoupdate2 ChannelName -string Beta
```
Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender ATP for Mac: Set the channel name](mac-updates.md#set-the-channel-name).

39
windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
View File

@ -57,19 +57,27 @@ This section describes the most common preferences that can be used to configure
### Set the channel name
The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`.
The channel determines the type and frequency of updates that are offered through MAU. Devices in `Beta` can try out new features before devices in `Preview` and `Current`.
The `Production` channel contains the most stable version of the product.
The `Current` channel contains the most stable version of the product.
>[!IMPORTANT]
> Prior to Microsoft AutoUpdate version 4.29, channels had different names:
>
> - `Beta` was named `InsiderFast` (Insider Fast)
> - `Preview` was named `External` (Insider Slow)
> - `Current` was named `Production`
>[!TIP]
>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`.
>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | ChannelName |
| **Data type** | String |
| **Possible values** | InsiderFast <br/> External <br/> Production |
| **Possible values** | Beta <br/> Preview <br/> Current |
|||
>[!WARNING]
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
@ -82,62 +90,67 @@ The `Production` channel contains the most stable version of the product.
Change how often MAU searches for updates.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | UpdateCheckFrequency |
| **Data type** | Integer |
| **Default value** | 720 (minutes) |
| **Comment** | This value is set in minutes. |
|||
### Change how MAU interacts with updates
Change how MAU searches for updates.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | HowToCheck |
| **Data type** | String |
| **Possible values** | Manual <br/> AutomaticCheck <br/> AutomaticDownload |
| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
|||
### Change whether the "Check for Updates" button is enabled
Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | EnableCheckForUpdatesButton |
| **Data type** | Boolean |
| **Possible values** | True (default) <br/> False |
|||
### Disable Insider checkbox
Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | DisableInsiderCheckbox |
| **Data type** | Boolean |
| **Possible values** | False (default) <br/> True |
|||
### Limit the telemetry that is sent from MAU
Set to false to send minimal heartbeat data, no application usage, and no environment details.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | SendAllTelemetryEnabled |
| **Data type** | Boolean |
| **Possible values** | True (default) <br/> False |
|||
## Example configuration profile
The following configuration profile is used to:
- Place the device in the Insider Fast channel
- Place the device in the Beta channel
- Automatically download and install updates
- Enable the "Check for updates" button in the user interface
- Allow users on the device to enroll into the Insider channels
@ -150,7 +163,7 @@ The following configuration profile is used to:
<plist version="1.0">
<dict>
<key>ChannelName</key>
<string>InsiderFast</string>
<string>Beta</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
@ -210,7 +223,7 @@ The following configuration profile is used to:
<key>PayloadEnabled</key>
<true/>
<key>ChannelName</key>
<string>InsiderFast</string>
<string>Beta</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>

5
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -36,6 +36,11 @@ ms.technology: mde
> [!IMPORTANT]
> Support for macOS 10.13 (High Sierra) has been discontinued on February 15th, 2021.
## 101.23.64 (20.121021.12364.0)
- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus`
- Performance improvements & bug fixes
## 101.22.79 (20.121012.12279.0)
- Performance improvements & bug fixes

83
windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
View File

@ -20,7 +20,7 @@ ms.collection:
- m365solution-scenario
ms.topic: article
ms.custom: migrationguides
ms.date: 03/03/2021
ms.date: 03/21/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
@ -45,7 +45,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
## Enable Microsoft Defender Antivirus and confirm it's in passive mode
On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
On certain versions of Windows, such as Windows Server, someone might have uninstalled or disabled Microsoft Defender Antivirus when your McAfee solution was installed. Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. In such cases, security teams opt to uninstall or disable Microsoft Defender Antivirus. (To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
This step of the migration process includes the following tasks:
- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
@ -56,7 +56,7 @@ This step of the migration process includes the following tasks:
### Set DisableAntiSpyware to false on Windows Server
The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
In the past, organizations used the [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key to disable Microsoft Defender Antivirus, and then deploy another antivirus product, such as McAfee. Currently, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
1. On your Windows Server device, open Registry Editor.
@ -68,12 +68,12 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
- If you do see **DisableAntiSpyware**, proceed to step 4.
4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
4. Right-click on **DisableAntiSpyware**, and then choose **Modify**.
5. Set the value to `0`. (This sets the registry key's value to *false*.)
> [!TIP]
> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
> To learn more, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
### Reinstall Microsoft Defender Antivirus on Windows Server
@ -91,11 +91,11 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
> [!NOTE]
> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
> Example:<br/>
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
> [!NOTE]
> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
> Example:<br/>
> `C:\Windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
> `C:\Windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
@ -103,23 +103,24 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
#### Are you using Windows Server 2016?
If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet:
If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following procedure.
`mpcmdrun -wdenable`
1. Open Windows PowerShell as an administrator.
2. Run the following PowerShell cmdlet: `mpcmdrun -wdenable`
> [!TIP]
> Still need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
### Set Microsoft Defender Antivirus to passive mode on Windows Server
Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. One way to do this is by using a registry key.
1. Open Registry Editor, and then navigate to <br/>
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
1. Open Registry Editor, and then navigate to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
- Set the DWORD's value to **1**.
- Set the **REG_DWORD** value to **1**.
- Under **Base**, select **Hexadecimal**.
@ -131,15 +132,15 @@ Because your organization is still using McAfee, you must set Microsoft Defender
### Enable Microsoft Defender Antivirus on your Windows client devices
Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
Because your organization has been using McAfee as your primary antivirus solution, you might find that Microsoft Defender Antivirus has been disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
|Method |What to do |
|---------|---------|
|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/><br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. <br/>If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).<br/><br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/><br/>4. Expand **Microsoft Defender Antivirus**. <br/><br/>5. Enable **Cloud-delivered protection**.<br/><br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/><br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/><br/>8. Select **Review + save**, and then choose **Save**.<br/><br/>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows). <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/> <br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <p>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in. <p>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. <br/>If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). <p>3. Select **Properties**, and then select **Configuration settings: Edit**. <p>4. Expand **Microsoft Defender Antivirus**. <p>5. Enable **Cloud-delivered protection**. <p>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**. <p>7. In the **Detect potentially unwanted applications** dropdown, select either **Enable** or **Audit**. <p>8. Select **Review + save**, and then choose **Save**. <p>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) <p>or<p>[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <p>2. Look for a policy called **Turn off Microsoft Defender Antivirus**. <p>3. Choose **Edit policy setting**, and make sure that policy is set to **Not configured**. This action enables Microsoft Defender Antivirus. <p>**NOTE**: You might see **Windows Defender Antivirus** instead of **Microsoft Defender Antivirus** in some versions of Windows. |
### Confirm that Microsoft Defender Antivirus is in passive mode
@ -147,35 +148,31 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <p>2. Type `sc query windefend`, and then press Enter. <p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator. <p>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
> You might see **Windows Defender Antivirus** instead of **Microsoft Defender Antivirus** in some versions of Windows.
## Get updates for Microsoft Defender Antivirus
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Even Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility), you should get and install your updates. There are two types of updates for your antivirus and antimalware protection: Security intelligence updates, and product updates.
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
- Security intelligence updates
- Product updates
To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
Follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
## Add Microsoft Defender for Endpoint to the exclusion list for McAfee
This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for McAfee and any other security products your organization is using.
> [!TIP]
> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
> To get help configuring exclusions, refer to McAfee documentation, such as [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
|OS |Exclusions |
|--|--|
|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))<br/>- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/> |
|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
|- [Windows 10 with version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))<br/>- Windows 10 with version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe` <p> `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe` <p> `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe` <p> **NOTE**: Monitoring Host Temporary Files 6\45 can have different numbered subfolders. <p> `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<p/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe` <p> `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe` <p> `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe` <p> `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add McAfee to the exclusion list for Microsoft Defender Antivirus
@ -191,17 +188,17 @@ You can choose from several methods to add your exclusions to Microsoft Defender
|Method | What to do|
|--|--|
|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/><br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/><br/>3. Under **Manage**, select **Properties**. <br/><br/>4. Select **Configuration settings: Edit**.<br/><br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/><br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/><br/>7. Choose **Review + save**, and then choose **Save**. |
|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/><br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/><br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/><br/>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/><br/>5. Click **OK**.<br/><br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/><br/>7. Click **OK**. |
|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/><br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>3. Specify your path and process exclusions. |
|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/><br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <p/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in. <p> 2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure. <p> 3. Under **Manage**, select **Properties**. <p> 4. Select **Configuration settings: Edit**. <p> 5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**. <p> 6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions). <p> 7. Choose **Review + save**, and then choose **Save**. |
|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p> 2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). <p> 2. Right-click the Group Policy Object you want to configure, and then select **Edit**. <p> 3. In the **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**. <p> 4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see **Windows Defender Antivirus** instead of **Microsoft Defender Antivirus** in some versions of Windows. <p> 5. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Specify **0** in the **Value** column. <p> 6. Select **OK**. <p> 7. Double-click the **Extension Exclusions** setting, and then add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Specify **0** in the **Value** column. <p> 8. Select **OK**. |
|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p> 2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see **Windows Defender Antivirus** instead of **Microsoft Defender Antivirus** in some versions of Windows. <p> 3. Specify your path and process exclusions. |
|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`. <p> 2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
## Add McAfee to the exclusion list for Microsoft Defender for Endpoint
To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
1. Go to the **Microsoft Defender Security Center** [MDAT Portal](https://aka.ms/MDATPportal) and sign in.
2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
@ -217,7 +214,7 @@ To add exclusions to Microsoft Defender for Endpoint, you create [indicators](ht
5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
6. On the **Summary** tab, review the settings, and then click **Save**.
6. On the **Summary** tab, review the **settings**, and then click **Save**.
### Find a file hash using CMPivot
@ -235,7 +232,7 @@ To use CMPivot to get your file hash, follow these steps:
5. In the **Device Collection** list, and choose **All Systems (default)**.
6. In the query box, type the following query:<br/>
6. In the **query** box, type the following query:<br/>
```kusto
File(c:\\windows\\notepad.exe)
@ -248,9 +245,9 @@ File(c:\\windows\\notepad.exe)
| Collection type | What to do |
|--|--|
|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/><br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/><br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<br/><br/>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <br/><br/>3. Choose **+ Add device group**.<br/><br/>4. Specify a name and description for the device group.<br/><br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).<br/><br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags). <br/><br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/><br/>8. Choose **Done**. |
|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <br/><br/>Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/><br/> Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<p/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/><br/>Device groups are created in the **Microsoft Defender Security Center**. |1. Go to the [Microsoft Defender Security Center](https://aka.ms/MDATPportal)). <p> 2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p> 3. Choose **+ Add device group**. <p> 4. Specify a name and description for the device group. <p> 5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). <p> 6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags). <p> 7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p> 8. Choose **Done**. |
|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <p> Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings. <p> Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
## Configure antimalware policies and real-time protection

10
windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
View File

@ -40,20 +40,22 @@ This managed threat hunting service provides expert-driven insights and data thr
> [!NOTE]
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
If you're a Microsoft Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis that help identify the most critical threats so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries.
If you're a Microsoft Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly.
To enroll to Microsoft Threat Experts - Targeted Attack Notifications benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts - Targeted Attack Notifications** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications.
Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries that your organization is facing.
See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
## Targeted attack notification
Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. These notifications shows up as a new alert. The managed hunting service includes:
## Microsoft Threat Experts - Targeted attack notification
Microsoft Threat Experts - Targeted attack notification provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. These notifications shows up as a new alert. The managed hunting service includes:
- Threat monitoring and analysis, reducing dwell time and risk to the business
- Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
- Identifying the most important risks, helping SOCs maximize time and energy
- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.
## Collaborate with experts, on demand
## Microsoft Threat Experts - Experts on Demand
Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
- Get additional clarification on alerts including root cause or scope of the incident
- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker

22
windows/security/threat-protection/microsoft-defender-atp/network-protection.md
View File

@ -31,6 +31,11 @@ ms.date: 03/08/2021
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. Network protection expands the scope of [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported on Windows, beginning with Windows 10, version 1709.
Network Protection is not yet supported on other operating systems. To learn which Web Protection functionality is supported using the Edge (Chromium) browser, see [Web protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) to find out which Web Protection functionality is supported using the Edge (Chromium) browser.
Network Protection extends the protection in [Web protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) to an OS level and would thus provide Web protection functionality in Edge to other supported browsers as well as non-browser applications.
In addition, Network Protection provides visibility and blocking of Indicators of Compromise (IOCs) when used with [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) including the enforcement of your [custom indicator list](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
@ -88,6 +93,23 @@ This procedure creates a custom view that filters to only show the following eve
| 1125 | Event when network protection fires in audit mode |
| 1126 | Event when network protection fires in block mode |
## Considerations for Windows virtual desktop running Windows 10 Enterprise Multi-Session
Due to the multi-user nature of this operating system, please observe the following:
1. Network Protection is a machine-wide feature and cannot be targeted to specific user (sessions).
2. This applies to Web content filtering policies as well.
3. If differentiation between user groups is required, consider creating separate Windows Virtual Desktop host pools and assignments.
4. Test Network Protection in audit mode to test behavior before blocking.
5. Due to the multi-user nature, you may consider resizing your deployment accordingly.
Alternative option:
For Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Desktop on Azure, Network protection for Microsoft Edge can be enabled using the following method:
1. Use Turn on network protection - Windows security | Microsoft Docs and follow the instructions to apply your policy
2. Execute the following PowerShell command: Set-MpPreference -AllowNetworkProtectionOnWinServer 1
## Related articles
- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.

13
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -31,14 +31,11 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities.
> [!TIP]
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
>[!TIP]
@ -64,14 +61,6 @@ The following features are included in the preview release:
- [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
- [Information protection](information-protection-in-windows-overview.md)<BR>
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender for Endpoint is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
>[!NOTE]
>Partially available from Windows 10, version 1809.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) <BR> Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
> [!TIP]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)

1
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -31,7 +31,6 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 20H2 (October 2020 Update)
- Windows 10 Version 2004 (May 2020 Update)
- Windows 10 Version 1909 (November 2019 Update)
- Windows 10 Version 1903 (May 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1607 (Anniversary Update)

64
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -10,11 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/21/2019
ms.technology: mde
---
@ -92,4 +91,65 @@ Example 3: Allows a specific COM object to register in PowerShell
</Value>
</Setting>
```
### How to configure settings for the CLSIDs
Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
Log Name: Microsoft-Windows-AppLocker/MSI and Script
Source: Microsoft-Windows-AppLocker
Date: 11/11/2020 1:18:11 PM
Event ID: 8036
Task Category: None
Level: Error
Keywords:
User: S-1-5-21-3340858017-3068726007-3466559902-3647
Computer: contoso.com
Description:
{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Event XML:
```XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-AppLocker" Guid="{cbda4dbf-8d5d-4f69-9578-be14aa540d22}" />
<EventID>8036</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-11T19:18:11.4029179Z" />
<EventRecordID>819347</EventRecordID>
<Correlation ActivityID="{61e3e871-adb0-0047-c9cc-e761b0add601}" />
<Execution ProcessID="21060" ThreadID="23324" />
<Channel>Microsoft-Windows-AppLocker/MSI and Script</Channel>
<Computer>contoso.com</Computer>
<Security UserID="S-1-5-21-3340858017-3068726007-3466559902-3647" />
</System>
<EventData>
<Data Name="IsApproved">false</Data>
<Data Name="CLSID">{f8d253d9-89a4-4daa-87b6-1168369f0b21}</Data>
</EventData>
</Event>
```
To add this CLSID to the existing policy, use the following steps:
1. Open PowerShell ISE with Administrative privileges.
2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`.
```PowerShell
PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath <path to policy xml>\WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
```
Once the command has been run, you will find that the following section is added to the policy XML.
```XML
<Settings>
<Setting Provider="WSH" Key="8856f961-340a-11d0-a96b-00c04fd705a2" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
```

20
windows/whats-new/ltsc/whats-new-windows-10-2019.md
View File

@ -482,26 +482,6 @@ Previously, the customized taskbar could only be deployed using Group Policy or
## Windows Update
### Windows Update for Business
Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
### Windows Insider for Business
We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).

54
windows/whats-new/whats-new-windows-10-version-2004.md
View File

@ -18,7 +18,7 @@ ms.topic: article
**Applies to**
- Windows 10, version 2004
This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update).
@ -33,7 +33,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
@ -108,17 +108,17 @@ Windows PowerShell cmdlets have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements:
- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- Reason: Replaced with separate policies for foreground and background
- Reason: Replaced with separate policies for foreground and background.
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
- Reason: Impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- Reason: separated to foreground and background
- Reason: Separated to foreground and background.
### Windows Update for Business
@ -134,11 +134,11 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
### Wi-Fi 6 and WPA3
Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
### TEAP
In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
## Virtualization
@ -182,7 +182,7 @@ Also see information about the exciting new Edge browser [here](https://blogs.wi
## Application settings
This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
This release enables explicit [Control over restarting apps at sign-in (Build 18965)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
## Windows Shell
@ -194,8 +194,8 @@ Several enhancements to the Windows 10 user interface are implemented in this re
- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.
- In the coming months, with regular app updates through the Microsoft Store, well enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
- In the coming months, with regular app updates through the Microsoft Store, well enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms.
- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
@ -208,7 +208,7 @@ Windows Search is improved in several ways. For more information, see [Superchar
### Virtual Desktops
You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1.
There is a new [Update on Virtual Desktop renaming (Build 18975)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
### Bluetooth pairing
@ -216,13 +216,13 @@ Pairing Bluetooth devices with your computer will occur through notifications, s
### Reset this PC
The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option.
The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
### Task Manager
The following items are added to Task Manager in this release:
- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898).
- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
## Graphics & display
@ -232,7 +232,7 @@ The following items are added to Task Manager in this release:
### 2-in-1 PCs
A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
### Specialized displays
@ -245,24 +245,24 @@ Examples include:
- Dedicated video monitoring
- Monitor panel testing and validation
- Independent Hardware Vendor (IHV) driver testing and validation
To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use.
## Desktop Analytics
[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new).
## See Also
- [Whats new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.<br>
- [Whats new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.<br>
- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See whats new in other versions of Windows 10.<br>
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.<br>
- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.<br>
- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.<br>
- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
- [Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
- [Whats new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
- [Whats new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See whats new in other versions of Windows 10.
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
- [Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.