mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-22 13:53:39 +00:00
Merge branch 'master' into tvm-updates
This commit is contained in:
Beth Levin
@ -112,7 +112,7 @@ The following table defines which Windows features require TPM support.
|
||||
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
|
||||
-|-|-|-|-
|
||||
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
|
||||
BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
|
||||
BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
|
||||
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
|
||||
Windows Defender Application Control (Device Guard) | No | Yes | Yes
|
||||
Windows Defender System Guard | Yes | No | Yes
|
||||
|
||||
@ -41,7 +41,7 @@ This policy setting configured which TPM authorization values are stored in the
|
||||
|--------------|---------------|---------|-----------------|-----------------|------------------|
|
||||
| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes |
|
||||
| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes |
|
||||
| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | No |
|
||||
| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | Yes |
|
||||
|
||||
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
|
||||
|
||||
|
||||
@ -133,6 +133,15 @@
|
||||
##### [Antivirus compatibility]()
|
||||
###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
|
||||
###### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Manage next-generation protection in your business]()
|
||||
###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
|
||||
###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
|
||||
###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
|
||||
###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
|
||||
###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
|
||||
###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
|
||||
###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
|
||||
|
||||
##### [Deploy, manage updates, and report on antivirus]()
|
||||
###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
|
||||
@ -169,14 +178,6 @@
|
||||
|
||||
##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Manage antivirus in your business]()
|
||||
###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
|
||||
###### [Use Group Policy settings to configure and manage antivirus](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
|
||||
###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
|
||||
###### [Use PowerShell cmdlets to configure and manage antivirus](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
|
||||
###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
|
||||
###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Manage scans and remediation]()
|
||||
###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
|
||||
|
||||
@ -196,16 +197,6 @@
|
||||
###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
|
||||
###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Manage next-generation protection in your business]()
|
||||
###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
|
||||
###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
|
||||
###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
|
||||
###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
|
||||
###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
|
||||
###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
|
||||
###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
|
||||
|
||||
|
||||
#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
|
||||
#### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
|
||||
|
||||
|
||||
@ -18,10 +18,6 @@ ms.custom: nextgen
|
||||
|
||||
# Configure Microsoft Defender Antivirus exclusions on Windows Server
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
|
||||
|
||||
> [!NOTE]
|
||||
|
||||
@ -7,7 +7,6 @@ ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: denisebmsft
|
||||
ms.author: deniseb
|
||||
@ -97,3 +96,5 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
|
||||
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
|
||||
- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
|
||||
- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
|
||||
- [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
|
||||
- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client)
|
||||
|
||||
@ -111,3 +111,51 @@ If hyperthreading is disabled (because of an update applied through a KB article
|
||||
|
||||
Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
|
||||
|
||||
### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
|
||||
|
||||
This is a known issue. To mitigate this you need to create two firewall rules.
|
||||
For guidance on how to create a firewall rule by using group policy, see:
|
||||
- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
|
||||
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
|
||||
|
||||
First rule (DHCP Server):
|
||||
1. Program path: %SystemRoot%\System32\svchost.exe
|
||||
2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
|
||||
3. Protocol UDP
|
||||
4. Port 67
|
||||
|
||||
Second rule (DHCP Client)
|
||||
This is the same as the first rule, but scoped to local port 68.
|
||||
In the Microsoft Defender Firewall user interface go through the following steps:
|
||||
1. Right click on inbound rules, create a new rule.
|
||||
2. Choose **custom rule**.
|
||||
3. Program path: **%SystemRoot%\System32\svchost.exe**.
|
||||
4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
|
||||
5. Any IP addresses.
|
||||
6. Allow the connection.
|
||||
7. All profiles.
|
||||
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
|
||||
9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
|
||||
|
||||
### Why can I not launch Application Guard when Exploit Guard is enabled?
|
||||
|
||||
There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
|
||||
|
||||
|
||||
### How can I have ICS in enabled state yet still use Application Guard?
|
||||
|
||||
This is a two step process.
|
||||
|
||||
Step 1:
|
||||
|
||||
Enable Internet Connection sharing by changing the Group Policy setting “Prohibit use of Internet Connection Sharing on your DNS domain network” which is part of the MS Security baseline from Enabled to Disabled.
|
||||
|
||||
Step 2:
|
||||
|
||||
1. Disable IpNat.sys from ICS load
|
||||
System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
|
||||
2. Configure ICS (SharedAccess) to enabled
|
||||
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
|
||||
3. Disabling IPNAT (Optional)
|
||||
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
|
||||
4. Reboot.
|
||||
|
||||
@ -27,6 +27,10 @@ ms.topic: article
|
||||
|
||||
The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
> [!NOTE]
|
||||
> Collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008 R2.
|
||||
> We recommend upgrading to Windows 10 or Windows Server 2019 for optimal visibility into user logon activity.
|
||||
|
||||
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
@ -68,4 +72,4 @@ For information on other tables in the advanced hunting schema, see [the advance
|
||||
## Related topics
|
||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||
- [Learn the query language](advanced-hunting-query-language.md)
|
||||
- [Understand the schema](advanced-hunting-schema-reference.md)
|
||||
- [Understand the schema](advanced-hunting-schema-reference.md)
|
||||
|
||||
@ -7,7 +7,6 @@ ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
author: martyav
|
||||
@ -51,7 +50,7 @@ ASR currently supports all of the rules below:
|
||||
* [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
|
||||
* [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
|
||||
* [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
|
||||
* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content)
|
||||
* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
|
||||
* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
|
||||
* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
|
||||
* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)
|
||||
|
||||
@ -23,8 +23,7 @@ ms.topic: conceptual
|
||||
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
|
||||
- [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about)
|
||||
|
||||
Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
|
||||
|
||||
|
||||
@ -191,9 +191,12 @@ The following capabilities are included in this integration:
|
||||
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
|
||||
> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>
|
||||
Data collected by Microsoft Defender ATP is stored in the geo-location of the tenant as identified during provisioning.
|
||||
> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
|
||||
> - When you use Azure Security Center to monitor Windows servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
|
||||
> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. <br>
|
||||
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
|
||||
|
||||
|
||||
## Offboard Windows servers
|
||||
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
|
||||
|
||||
@ -25,7 +25,7 @@ ms.topic: conceptual
|
||||
|
||||
## Collecting diagnostic information
|
||||
|
||||
If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
|
||||
If you can reproduce a problem, increase the logging level, run the system for some time, and restore the logging level to the default.
|
||||
|
||||
1. Increase logging level:
|
||||
|
||||
@ -63,7 +63,7 @@ The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. I
|
||||
|
||||
## Uninstalling
|
||||
|
||||
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
|
||||
There are several ways to uninstall Microsoft Defender ATP for Mac. Note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
|
||||
|
||||
### Interactive uninstallation
|
||||
|
||||
@ -100,6 +100,36 @@ Important tasks, such as controlling product settings and triggering on-demand s
|
||||
|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|
||||
|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` |
|
||||
|
||||
### How to enable autocompletion
|
||||
|
||||
To enable autocompletion in `Bash`, run the following command and restart the Terminal session:
|
||||
|
||||
```bash
|
||||
$ echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile
|
||||
```
|
||||
|
||||
To enable autocompletion in `zsh`:
|
||||
|
||||
- Check whether autocompletion is enabled on your device:
|
||||
|
||||
```zsh
|
||||
$ cat ~/.zshrc | grep autoload
|
||||
```
|
||||
|
||||
- If the above command does not produce any output, you can enable autocompletion using the following command:
|
||||
|
||||
```zsh
|
||||
$ echo "autoload -Uz compinit && compinit" >> ~/.zshrc
|
||||
```
|
||||
|
||||
- Run the following command to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
|
||||
|
||||
```zsh
|
||||
sudo mkdir -p /usr/local/share/zsh/site-functions
|
||||
|
||||
sudo ln -svf "/Applications/Microsoft Defender ATP.app/Contents/Resources/Tools/mdatp_completion.zsh" /usr/local/share/zsh/site-functions/_mdatp
|
||||
```
|
||||
|
||||
## Client Microsoft Defender ATP quarantine directory
|
||||
|
||||
`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
|
||||
|
||||
@ -41,7 +41,8 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
|
||||
</array>
|
||||
<key>RunAtLoad</key>
|
||||
<true/>
|
||||
<key>StartCalendarInterval</key><dict>
|
||||
<key>StartCalendarInterval</key>
|
||||
<dict>
|
||||
<key>Day</key>
|
||||
<integer>3</integer>
|
||||
<key>Hour</key>
|
||||
@ -68,11 +69,11 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
|
||||
4. To load your file into **launchd**, enter the following commands:
|
||||
|
||||
```bash
|
||||
`$ launchctl load /Library/LaunchDaemons/<your file name.plist>`
|
||||
`$ launchctl start <your file name>`
|
||||
launchctl load /Library/LaunchDaemons/<your file name.plist>
|
||||
launchctl start <your file name>
|
||||
```
|
||||
|
||||
5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every 7 days on a Friday, with the StartInterval using 604800 seconds for one week.
|
||||
5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every seven days on a Friday, with the StartInterval using 604,800 seconds for one week.
|
||||
|
||||
> [!NOTE]
|
||||
> Agents executed with launchd will not run at the scheduled time if the computer is asleep, but will run once the computer is awake. If the computer is off, the scan will not run until the computer is on at the next scheduled time.
|
||||
|
||||
@ -19,12 +19,30 @@ ms.topic: conceptual
|
||||
|
||||
# What's new in Microsoft Defender Advanced Threat Protection for Mac
|
||||
|
||||
> [!NOTE]
|
||||
> In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions.
|
||||
> [!IMPORTANT]
|
||||
> In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender ATP for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender ATP for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11.
|
||||
>
|
||||
> In the meantime, starting with macOS Catalina update 10.15.4, Apple introduced a user facing *Legacy System Extension* warning to signal applications that rely on kernel extensions.
|
||||
> The update is applicable to devices running macOS version 10.15.4 or later.
|
||||
>
|
||||
> If you have previously allowed the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to allow the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to allow the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
|
||||
> To ensure that the Microsoft Defender ATP for Mac update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before Microsoft publishes the new agent version. If the configuration is not deployed prior to the Microsoft Defender ATP for Mac agent update, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions.
|
||||
>
|
||||
> Timing:
|
||||
> - Organizations that previously opted into Microsoft Defender ATP preview features in Microsoft Defender Security Center, must be ready for Microsoft Defender ATP for Mac agent update **by August 10, 2020**.
|
||||
> - Organizations that do not participate in public previews for Microsoft Defender ATP features, must be ready **by September 07, 2020**.
|
||||
>
|
||||
> Action is needed by IT administrator. Review the steps below and assess the impact on your organization:
|
||||
>
|
||||
> 1. Deploy the specified remote configuration to eligible macOS devices before Microsoft publishes the new agent version. <br/>
|
||||
> Even though Microsoft Defender ATP for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will ensure that even down-level devices are prepared for the day when Apple releases macOS 11 Big Sur and will ensure that Microsoft Defender ATP for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade.
|
||||
>
|
||||
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
|
||||
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
|
||||
|
||||
## 101.05.16
|
||||
|
||||
- Improvements to quick scan logic to significantly reduce the number of scanned files
|
||||
- Added [autocompletion support](mac-resources.md#how-to-enable-autocompletion) for the command-line tool
|
||||
- Bug fixes
|
||||
|
||||
## 101.03.12
|
||||
|
||||
|
||||
@ -1,528 +0,0 @@
|
||||
# [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md)
|
||||
|
||||
## [Overview]()
|
||||
### [Overview of Microsoft Defender ATP capabilities](overview.md)
|
||||
### [Threat & Vulnerability Management]()
|
||||
#### [Next-generation capabilities](next-gen-threat-and-vuln-mgt.md)
|
||||
#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
|
||||
#### [Exposure score](tvm-exposure-score.md)
|
||||
#### [Configuration score](configuration-score.md)
|
||||
#### [Security recommendation](tvm-security-recommendation.md)
|
||||
#### [Remediation](tvm-remediation.md)
|
||||
#### [Software inventory](tvm-software-inventory.md)
|
||||
#### [Weaknesses](tvm-weaknesses.md)
|
||||
#### [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
|
||||
|
||||
### [Attack surface reduction]()
|
||||
#### [Hardware-based isolation]()
|
||||
##### [Hardware-based isolation in Windows 10](overview-hardware-based-isolation.md)
|
||||
|
||||
##### [Application isolation]()
|
||||
###### [Application guard overview](../windows-defender-application-guard/wd-app-guard-overview.md)
|
||||
###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
|
||||
|
||||
##### [System integrity](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
|
||||
|
||||
#### [Application control]()
|
||||
##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md)
|
||||
|
||||
#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md)
|
||||
#### [Network protection](../windows-defender-exploit-guard/network-protection.md)
|
||||
#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md)
|
||||
#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md)
|
||||
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
|
||||
|
||||
|
||||
### [Next generation protection](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
|
||||
|
||||
|
||||
### [Endpoint detection and response]()
|
||||
#### [Endpoint detection and response overview](overview-endpoint-detection-response.md)
|
||||
#### [Security operations dashboard](security-operations-dashboard.md)
|
||||
|
||||
#### [Incidents queue]()
|
||||
##### [View and organize the Incidents queue](view-incidents-queue.md)
|
||||
##### [Manage incidents](manage-incidents.md)
|
||||
##### [Investigate incidents](investigate-incidents.md)
|
||||
|
||||
#### [Alerts queue]()
|
||||
##### [View and organize the Alerts queue](alerts-queue.md)
|
||||
##### [Manage alerts](manage-alerts.md)
|
||||
##### [Investigate alerts](investigate-alerts.md)
|
||||
##### [Investigate files](investigate-files.md)
|
||||
##### [Investigate machines](investigate-machines.md)
|
||||
##### [Investigate an IP address](investigate-ip.md)
|
||||
##### [Investigate a domain](investigate-domain.md)
|
||||
##### [Investigate a user account](investigate-user.md)
|
||||
|
||||
#### [Machines list]()
|
||||
##### [View and organize the Machines list](machines-view-overview.md)
|
||||
|
||||
##### [Investigate machines]()
|
||||
###### [Machine details](investigate-machines.md#machine-details)
|
||||
###### [Response actions](investigate-machines.md#response-actions)
|
||||
###### [Cards](investigate-machines.md#cards)
|
||||
###### [Tabs](investigate-machines.md#tabs)
|
||||
|
||||
#### [Take response actions]()
|
||||
##### [Take response actions on a machine]()
|
||||
###### [Understand response actions](respond-machine-alerts.md)
|
||||
###### [Manage tags](respond-machine-alerts.md#manage-tags)
|
||||
###### [Initiate Automated Investigation](respond-machine-alerts.md#initiate-automated-investigation)
|
||||
###### [Initiate Live Response Session](respond-machine-alerts.md#initiate-live-response-session)
|
||||
###### [Collect investigation package from machines](respond-machine-alerts.md#collect-investigation-package-from-machines)
|
||||
###### [Run Microsoft Defender Antivirus scan on machines](respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines)
|
||||
###### [Restrict app execution](respond-machine-alerts.md#restrict-app-execution)
|
||||
###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network)
|
||||
###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center)
|
||||
|
||||
##### [Take response actions on a file]()
|
||||
###### [Understand response actions](respond-file-alerts.md)
|
||||
###### [Stop and quarantine files in your network](respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
|
||||
###### [Restore file from quarantine](respond-file-alerts.md#restore-file-from-quarantine)
|
||||
###### [Add an indicator to block or allow a file](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
|
||||
###### [Deep analysis](respond-file-alerts.md#deep-analysis)
|
||||
|
||||
##### [Live response]()
|
||||
###### [Investigate entities on machines](live-response.md)
|
||||
###### [Live response command examples](live-response-command-examples.md)
|
||||
|
||||
|
||||
### [Automated investigation and remediation]()
|
||||
#### [Understand Automated investigations](automated-investigations.md)
|
||||
#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md)
|
||||
#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
|
||||
|
||||
|
||||
### [Threat analytics](threat-analytics.md)
|
||||
|
||||
|
||||
### [Microsoft Threat Experts](microsoft-threat-experts.md)
|
||||
|
||||
|
||||
### [Advanced hunting]()
|
||||
#### [Advanced hunting overview](advanced-hunting-overview.md)
|
||||
|
||||
#### [Query data using Advanced hunting]()
|
||||
##### [Data querying basics](advanced-hunting-query-language.md)
|
||||
##### [Advanced hunting reference](advanced-hunting-schema-reference.md)
|
||||
##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
|
||||
|
||||
#### [Custom detections]()
|
||||
##### [Understand custom detection rules](overview-custom-detections.md)
|
||||
##### [Create custom detections rules](custom-detection-rules.md)
|
||||
|
||||
### [Management and APIs]()
|
||||
#### [Overview of management and APIs](management-apis.md)
|
||||
#### [Understand threat intelligence concepts](threat-indicator-concepts.md)
|
||||
#### [Microsoft Defender ATP APIs](apis-intro.md)
|
||||
#### [Managed security service provider support](mssp-support.md)
|
||||
|
||||
|
||||
### [Integrations]()
|
||||
#### [Microsoft Defender ATP integrations](threat-protection-integration.md)
|
||||
#### [Conditional Access integration overview](conditional-access.md)
|
||||
#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
|
||||
|
||||
#### [Information protection in Windows overview]()
|
||||
##### [Windows integration](information-protection-in-windows-overview.md)
|
||||
##### [Use sensitivity labels to prioritize incident response](information-protection-investigation.md)
|
||||
|
||||
|
||||
### [Microsoft Threat Experts](microsoft-threat-experts.md)
|
||||
|
||||
|
||||
### [Portal overview](portal-overview.md)
|
||||
|
||||
|
||||
|
||||
## [Get started]()
|
||||
### [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md)
|
||||
### [Preview features](preview.md)
|
||||
### [Evaluation lab](evaluation-lab.md)
|
||||
### [Minimum requirements](minimum-requirements.md)
|
||||
### [Validate licensing and complete setup](licensing.md)
|
||||
|
||||
### [Data storage and privacy](data-storage-privacy.md)
|
||||
### [Assign user access to the portal](assign-portal-access.md)
|
||||
|
||||
### [Evaluate Microsoft Defender ATP capabilities]()
|
||||
#### [Evaluate attack surface reduction]()
|
||||
|
||||
##### [Evaluate attack surface reduction and next-generation capabilities](evaluate-atp.md)
|
||||
###### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
|
||||
###### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
|
||||
###### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
|
||||
###### [Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
|
||||
###### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
|
||||
###### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
|
||||
###### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
|
||||
##### [Evaluate next generation protection](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
|
||||
|
||||
### [Access the Microsoft Defender Security Center Community Center](community.md)
|
||||
|
||||
## [Configure and manage capabilities]()
|
||||
|
||||
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
|
||||
|
||||
### [Hardware-based isolation]()
|
||||
#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
|
||||
|
||||
#### [Application isolation]()
|
||||
##### [Install Windows Defender Application Guard](../windows-defender-application-guard/install-wd-app-guard.md)
|
||||
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
|
||||
|
||||
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
|
||||
|
||||
#### [Device control]()
|
||||
##### [Control USB devices](../device-control/control-usb-devices-using-intune.md)
|
||||
|
||||
##### [Device Guard]()
|
||||
###### [Code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
|
||||
|
||||
###### [Memory integrity]()
|
||||
####### [Understand memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
|
||||
####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
|
||||
####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
|
||||
|
||||
#### [Exploit protection]()
|
||||
##### [Enable exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
|
||||
##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
|
||||
|
||||
#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
|
||||
|
||||
#### [Controlled folder access]()
|
||||
##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)
|
||||
##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md)
|
||||
|
||||
#### [Attack surface reduction controls]()
|
||||
##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
|
||||
##### [Customize attack surface reduction rules](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
|
||||
|
||||
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
|
||||
|
||||
|
||||
### [Configure next generation protection]()
|
||||
#### [Configure Microsoft Defender Antivirus features](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
|
||||
#### [Utilize Microsoft cloud-delivered protection]()
|
||||
##### [Understand cloud-delivered protection](../microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
|
||||
##### [Enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
|
||||
##### [Specify the cloud-delivered protection level](../microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
|
||||
##### [Configure and validate network connections](../microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
|
||||
##### [Enable Block at first sight](../microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
|
||||
##### [Configure the cloud block timeout period](../microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
|
||||
|
||||
#### [Configure behavioral, heuristic, and real-time protection]()
|
||||
##### [Configuration overview](../microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
|
||||
##### [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
|
||||
##### [Enable and configure always-on protection and monitoring](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
|
||||
|
||||
#### [Antivirus on Windows Server 2016](../microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
|
||||
|
||||
#### [Antivirus compatibility]()
|
||||
##### [Compatibility charts](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
|
||||
##### [Use limited periodic antivirus scanning](../microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
|
||||
|
||||
#### [Deploy, manage updates, and report on antivirus]()
|
||||
##### [Using Microsoft Defender Antivirus](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Deploy and enable antivirus]()
|
||||
###### [Preparing to deploy](../microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
|
||||
###### [Deployment guide for VDI environments](../microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Report on antivirus protection]()
|
||||
###### [Review protection status and aqlerts](../microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
|
||||
###### [Troubleshoot antivirus reporting in Update Compliance](../microsoft-defender-antivirus/troubleshoot-reporting.md)
|
||||
|
||||
##### [Manage updates and apply baselines]()
|
||||
###### [Learn about the different kinds of updates](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
|
||||
###### [Manage protection and Security intelligence updates](../microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
|
||||
###### [Manage when protection updates should be downloaded and applied](../microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
|
||||
###### [Manage updates for endpoints that are out of date](../microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
|
||||
###### [Manage event-based forced updates](../microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
|
||||
###### [Manage updates for mobile devices and VMs](../microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
|
||||
|
||||
#### [Customize, initiate, and review the results of scans and remediation]()
|
||||
##### [Configuration overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Configure and validate exclusions in antivirus scans]()
|
||||
###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
|
||||
###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
|
||||
###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
|
||||
###### [Configure antivirus exclusions Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Configure antivirus scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
|
||||
##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
|
||||
##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
|
||||
##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
|
||||
##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
|
||||
##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md)
|
||||
|
||||
#### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
|
||||
|
||||
#### [Manage antivirus in your business]()
|
||||
##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
|
||||
##### [Use Group Policy settings to configure and manage antivirus](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
|
||||
##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
|
||||
##### [Use PowerShell cmdlets to configure and manage antivirus](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
|
||||
##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
|
||||
##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
|
||||
|
||||
#### [Manage scans and remediation]()
|
||||
##### [Management overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Configure and validate exclusions in antivirus scans]()
|
||||
###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
|
||||
###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
|
||||
###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
|
||||
###### [Configure antivirus exclusions on Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
|
||||
|
||||
##### [Configure scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
|
||||
##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
|
||||
##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
|
||||
##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
|
||||
##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
|
||||
##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md)
|
||||
##### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
|
||||
|
||||
#### [Manage next generation protection in your business]()
|
||||
##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
|
||||
##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
|
||||
##### [Use Group Policy settings to manage next generation protection](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
|
||||
##### [Use PowerShell cmdlets to manage next generation protection](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
|
||||
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
|
||||
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
|
||||
|
||||
|
||||
|
||||
### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
|
||||
|
||||
|
||||
### [Endpoint detection and response management and API support]()
|
||||
|
||||
#### [Onboard machines]()
|
||||
##### [Onboarding overview](onboard-configure.md)
|
||||
##### [Onboard previous versions of Windows](onboard-downlevel.md)
|
||||
|
||||
##### [Onboard Windows 10 machines]()
|
||||
###### [Ways to onboard](configure-endpoints.md)
|
||||
###### [Onboard machines using Group Policy](configure-endpoints-gp.md)
|
||||
###### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm.md)
|
||||
|
||||
###### [Onboard machines using Mobile Device Management tools]()
|
||||
####### [Overview](configure-endpoints-mdm.md)
|
||||
####### [Onboard machines using Microsoft Intune](configure-endpoints-mdm.md#onboard-machines-using-microsoft-intune)
|
||||
###### [Onboard machines using a local script](configure-endpoints-script.md)
|
||||
###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
|
||||
|
||||
##### [Onboard servers](configure-server-endpoints.md)
|
||||
##### [Onboard non-Windows machines](configure-endpoints-non-windows.md)
|
||||
##### [Onboard machines without Internet access](onboard-offline-machines.md)
|
||||
##### [Run a detection test on a newly onboarded machine](run-detection-test.md)
|
||||
##### [Run simulated attacks on machines](attack-simulations.md)
|
||||
##### [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
|
||||
|
||||
##### [Troubleshoot onboarding issues]()
|
||||
###### [Troubleshooting basics](troubleshoot-onboarding.md)
|
||||
###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages.md)
|
||||
|
||||
#### [Microsoft Defender ATP API]()
|
||||
##### [Understand Microsoft Defender ATP APIs](use-apis.md)
|
||||
##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md)
|
||||
|
||||
##### [Get started]()
|
||||
###### [Introduction](apis-intro.md)
|
||||
###### [Hello World](api-hello-world.md)
|
||||
###### [Get access with application context](exposed-apis-create-app-webapp.md)
|
||||
###### [Get access with user context](exposed-apis-create-app-nativeapp.md)
|
||||
###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
|
||||
|
||||
##### [APIs]()
|
||||
###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
|
||||
###### [Common REST API error codes](common-errors.md)
|
||||
###### [Advanced Hunting](run-advanced-query-api.md)
|
||||
|
||||
###### [Alert]()
|
||||
####### [Methods, properties, and JSON representation](alerts.md)
|
||||
####### [List alerts](get-alerts.md)
|
||||
####### [Create alert](create-alert-by-reference.md)
|
||||
####### [Update Alert](update-alert.md)
|
||||
####### [Get alert information by ID](get-alert-info-by-id.md)
|
||||
####### [Get alert related domains information](get-alert-related-domain-info.md)
|
||||
####### [Get alert related file information](get-alert-related-files-info.md)
|
||||
####### [Get alert related IPs information](get-alert-related-ip-info.md)
|
||||
####### [Get alert related machine information](get-alert-related-machine-info.md)
|
||||
####### [Get alert related user information](get-alert-related-user-info.md)
|
||||
|
||||
###### [Machine]()
|
||||
####### [Methods and properties](machine.md)
|
||||
####### [List machines](get-machines.md)
|
||||
####### [Get machine by ID](get-machine-by-id.md)
|
||||
####### [Get machine log on users](get-machine-log-on-users.md)
|
||||
####### [Get machine related alerts](get-machine-related-alerts.md)
|
||||
####### [Add or Remove machine tags](add-or-remove-machine-tags.md)
|
||||
####### [Find machines by IP](find-machines-by-ip.md)
|
||||
|
||||
###### [Machine Action]()
|
||||
####### [Methods and properties](machineaction.md)
|
||||
####### [List Machine Actions](get-machineactions-collection.md)
|
||||
####### [Get Machine Action](get-machineaction-object.md)
|
||||
####### [Collect investigation package](collect-investigation-package.md)
|
||||
####### [Get investigation package SAS URI](get-package-sas-uri.md)
|
||||
####### [Isolate machine](isolate-machine.md)
|
||||
####### [Release machine from isolation](unisolate-machine.md)
|
||||
####### [Restrict app execution](restrict-code-execution.md)
|
||||
####### [Remove app restriction](unrestrict-code-execution.md)
|
||||
####### [Run antivirus scan](run-av-scan.md)
|
||||
####### [Offboard machine](offboard-machine-api.md)
|
||||
####### [Stop and quarantine file](stop-and-quarantine-file.md)
|
||||
|
||||
###### [Automated Investigation]()
|
||||
####### [Investigation methods and properties](microsoft-defender-atp/investigation.md)
|
||||
####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md)
|
||||
####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md)
|
||||
####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md)
|
||||
|
||||
###### [Indicators]()
|
||||
####### [Methods and properties](ti-indicator.md)
|
||||
####### [Submit Indicator](post-ti-indicator.md)
|
||||
####### [List Indicators](get-ti-indicators-collection.md)
|
||||
####### [Delete Indicator](delete-ti-indicator-by-id.md)
|
||||
|
||||
###### [Domain]()
|
||||
####### [Get domain related alerts](get-domain-related-alerts.md)
|
||||
####### [Get domain related machines](get-domain-related-machines.md)
|
||||
####### [Get domain statistics](get-domain-statistics.md)
|
||||
|
||||
###### [File]()
|
||||
####### [Methods and properties](files.md)
|
||||
####### [Get file information](get-file-information.md)
|
||||
####### [Get file related alerts](get-file-related-alerts.md)
|
||||
####### [Get file related machines](get-file-related-machines.md)
|
||||
####### [Get file statistics](get-file-statistics.md)
|
||||
|
||||
###### [IP]()
|
||||
####### [Get IP related alerts](get-ip-related-alerts.md)
|
||||
####### [Get IP statistics](get-ip-statistics.md)
|
||||
|
||||
###### [User]()
|
||||
####### [Methods](user.md)
|
||||
####### [Get user related alerts](get-user-related-alerts.md)
|
||||
####### [Get user related machines](get-user-related-machines.md)
|
||||
|
||||
##### [How to use APIs - Samples]()
|
||||
###### [Microsoft Flow](api-microsoft-flow.md)
|
||||
###### [Power BI](api-power-bi.md)
|
||||
###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
|
||||
###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
|
||||
###### [Using OData Queries](exposed-apis-odata-samples.md)
|
||||
|
||||
#### [API for custom alerts]()
|
||||
##### [Enable the custom threat intelligence application](enable-custom-ti.md)
|
||||
##### [Use the threat intelligence API to create custom alerts](use-custom-ti.md)
|
||||
##### [Create custom threat intelligence alerts](custom-ti-api.md)
|
||||
##### [PowerShell code examples](powershell-example-code.md)
|
||||
##### [Python code examples](python-example-code.md)
|
||||
##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md)
|
||||
##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md)
|
||||
|
||||
#### [Pull Detections to your SIEM tools]()
|
||||
##### [Learn about different ways to pull Detections](configure-siem.md)
|
||||
##### [Enable SIEM integration](enable-siem-integration.md)
|
||||
##### [Configure Splunk to pull Detections](configure-splunk.md)
|
||||
##### [Configure HP ArcSight to pull Detections](configure-arcsight.md)
|
||||
##### [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
|
||||
##### [Pull Detections using SIEM REST API](pull-alerts-using-rest-api.md)
|
||||
##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
|
||||
|
||||
#### [Reporting]()
|
||||
##### [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
|
||||
##### [Threat protection reports](threat-protection-reports.md)
|
||||
##### [Machine health and compliance reports](machine-reports.md)
|
||||
|
||||
#### [Interoperability]()
|
||||
##### [Partner applications](partner-applications.md)
|
||||
|
||||
#### [Manage machine configuration]()
|
||||
##### [Ensure your machines are configured properly](configure-machines.md)
|
||||
##### [Monitor and increase machine onboarding](configure-machines-onboarding.md)
|
||||
##### [Increase compliance to the security baseline](configure-machines-security-baseline.md)
|
||||
##### [Optimize ASR rule deployment and detections](configure-machines-asr.md)
|
||||
|
||||
#### [Role-based access control]()
|
||||
|
||||
##### [Manage portal access using RBAC]()
|
||||
###### [Using RBAC](rbac.md)
|
||||
###### [Create and manage roles](user-roles.md)
|
||||
|
||||
###### [Create and manage machine groups]()
|
||||
####### [Using machine groups](machine-groups.md)
|
||||
####### [Create and manage machine tags](machine-tags.md)
|
||||
|
||||
#### [Configure managed security service provider (MSSP) support](configure-mssp-support.md)
|
||||
|
||||
|
||||
### [Configure Microsoft threat protection integration]()
|
||||
#### [Configure Conditional Access](configure-conditional-access.md)
|
||||
#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
|
||||
#### [Configure information protection in Windows](information-protection-in-windows-config.md)
|
||||
|
||||
|
||||
### [Configure portal settings]()
|
||||
#### [Set up preferences](preferences-setup.md)
|
||||
|
||||
#### [General]()
|
||||
##### [Update data retention settings](data-retention-settings.md)
|
||||
##### [Configure alert notifications](configure-email-notifications.md)
|
||||
##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md)
|
||||
##### [Configure advanced features](advanced-features.md)
|
||||
|
||||
#### [Permissions]()
|
||||
##### [Use basic permissions to access the portal](basic-permissions.md)
|
||||
##### [Manage portal access using RBAC](rbac.md)
|
||||
###### [Create and manage roles](user-roles.md)
|
||||
###### [Create and manage machine groups](machine-groups.md)
|
||||
####### [Create and manage machine tags](machine-tags.md)
|
||||
|
||||
#### [APIs]()
|
||||
##### [Enable Threat intel](enable-custom-ti.md)
|
||||
##### [Enable SIEM integration](enable-siem-integration.md)
|
||||
|
||||
#### [Rules]()
|
||||
##### [Manage suppression rules](manage-suppression-rules.md)
|
||||
##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
|
||||
##### [Manage indicators](manage-indicators.md)
|
||||
##### [Manage automation file uploads](manage-automation-file-uploads.md)
|
||||
##### [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
|
||||
|
||||
#### [Machine management]()
|
||||
##### [Onboarding machines](onboard-configure.md)
|
||||
##### [Offboarding machines](offboard-machines.md)
|
||||
|
||||
#### [Configure time zone settings](time-settings.md)
|
||||
|
||||
|
||||
|
||||
## [Troubleshoot Microsoft Defender ATP]()
|
||||
|
||||
### [Troubleshoot sensor state]()
|
||||
#### [Check sensor state](check-sensor-status.md)
|
||||
#### [Fix unhealthy sensors](fix-unhealthy-sensors.md)
|
||||
#### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines)
|
||||
#### [Misconfigured machines](fix-unhealthy-sensors.md#misconfigured-machines)
|
||||
#### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md)
|
||||
|
||||
|
||||
### [Troubleshoot service issues]()
|
||||
#### [Troubleshooting issues](troubleshoot-mdatp.md)
|
||||
#### [Check service health](service-status.md)
|
||||
|
||||
|
||||
### [Troubleshoot attack surface reduction issues]()
|
||||
#### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
|
||||
#### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
|
||||
#### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md)
|
||||
|
||||
|
||||
### [Troubleshoot next generation protection issues](../microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
|
||||
@ -49,7 +49,7 @@ Before trying out this feature, make sure you have the following:
|
||||
- Windows 10 Enterprise E5 license
|
||||
- Access to Microsoft Defender Security Center portal
|
||||
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
|
||||
Note that if SmartScreen is not turned on, Network Protection will take over the blocking.
|
||||
Note that if SmartScreen is not turned on, Network Protection will take over the blocking. This requires enabling Network Protection [on the device](enable-network-protection.md).
|
||||
|
||||
## Data handling
|
||||
|
||||
|
||||
@ -27,6 +27,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group
|
||||
The Security Compliance Toolkit consists of:
|
||||
|
||||
- Windows 10 security baselines
|
||||
- Windows 10 Version 2004 (May 2020 Update)
|
||||
- Windows 10 Version 1909 (November 2019 Update)
|
||||
- Windows 10 Version 1903 (May 2019 Update)
|
||||
- Windows 10 Version 1809 (October 2018 Update)
|
||||
@ -80,63 +81,3 @@ It can export local policy to a GPO backup.
|
||||
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
|
||||
|
||||
Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
|
||||
|
||||
## List of PowerShell scripts
|
||||
|
||||
This list of PowerShell script names, divided into categories by the name of the ZIP file containing those scripts, is based on the download page content listing of the full package download (12 files).
|
||||
|
||||
1. **Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip**
|
||||
|
||||
- Baseline-ADImport.ps1
|
||||
- Baseline-LocalInstall.ps1
|
||||
- Remove-EPBaselineSettings.ps1
|
||||
- MapGuidsToGpoNames.ps1
|
||||
|
||||
2. **LGPO.zip**
|
||||
- (none)
|
||||
|
||||
3. **Microsoft Edge v80.zip**
|
||||
|
||||
- Baseline-ADImport.ps1
|
||||
- Baseline-LocalInstall.ps1
|
||||
- MapGuidsToGpoNames.ps1
|
||||
|
||||
4. **Office365-ProPlus-Sept2019-FINAL.zip**
|
||||
|
||||
- Baseline-ADImport.ps1
|
||||
- Baseline-LocalInstall.ps1
|
||||
- MapGuidsToGpoNames.ps1
|
||||
|
||||
5. **PolicyAnalyzer.zip**
|
||||
|
||||
- Merge-PolicyRules.ps1
|
||||
- Split-PolicyRules.ps1
|
||||
|
||||
6. **Windows 10 Version 1507 Security Baseline.zip**
|
||||
- (none)
|
||||
|
||||
7. **Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip**
|
||||
|
||||
- MapGuidsToGpoNames.ps1
|
||||
|
||||
8. **Windows 10 Version 1709 Security Baseline.zip**
|
||||
|
||||
- MapGuidsToGpoNames.ps1
|
||||
|
||||
9. **Windows 10 Version 1803 Security Baseline.zip**
|
||||
|
||||
- MapGuidsToGpoNames.ps1
|
||||
|
||||
10. **Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip**
|
||||
|
||||
- BaselineLocalInstall.ps1
|
||||
- MapGuidsToGpoNames.ps1
|
||||
|
||||
11. **Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline - Sept2019Update.zip**
|
||||
|
||||
- Baseline-ADImport.ps1
|
||||
- Baseline-LocalInstall.ps1
|
||||
- MapGuidsToGpoNames.ps1
|
||||
|
||||
12. **Windows Server 2012 R2 Security Baseline.zip**
|
||||
- (none)
|
||||
|
||||
@ -22,7 +22,7 @@ ms.date: 06/13/2018
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016 and above
|
||||
- Windows Server 2019
|
||||
|
||||
Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC).
|
||||
This is especially true for enterprises with large, ever changing software catalogs.
|
||||
@ -36,7 +36,7 @@ A managed installer uses a new rule collection in AppLocker to specify one or mo
|
||||
Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies.
|
||||
|
||||
Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
|
||||
If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.+
|
||||
If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
|
||||
|
||||
Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
|
||||
Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
|
||||
@ -46,9 +46,9 @@ Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExampleP
|
||||
Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
|
||||
There are three primary steps to keep in mind:
|
||||
|
||||
- Specify managed installers using the Managed Installer rule collection in AppLocker policy
|
||||
- Enable service enforcement in AppLocker policy
|
||||
- Enable the managed installer option in a WDAC policy
|
||||
- Specify managed installers by using the Managed Installer rule collection in AppLocker policy.
|
||||
- Enable service enforcement in AppLocker policy.
|
||||
- Enable the managed installer option in a WDAC policy.
|
||||
|
||||
### Specify managed installers using the Managed Installer rule collection in AppLocker policy
|
||||
|
||||
@ -60,7 +60,7 @@ For more information about creating an AppLocker policy that includes a managed
|
||||
As mentioned above, the AppLocker CSP for OMA-URI policies does not currently support the Managed Installer rule collection or the Service Enforcement rule extensions mentioned below.
|
||||
|
||||
|
||||
```code
|
||||
```xml
|
||||
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
|
||||
<FilePublisherRule Id="6cc9a840-b0fd-4f86-aca7-8424a22b4b93" Name="CMM - CCMEXEC.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
|
||||
<Conditions>
|
||||
@ -82,10 +82,10 @@ As mentioned above, the AppLocker CSP for OMA-URI policies does not currently su
|
||||
## Enable service enforcement in AppLocker policy
|
||||
|
||||
Since many installation processes rely on services, it is typically necessary to enable tracking of services.
|
||||
Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice.
|
||||
Correct tracking of services requires the presence of at least one rule in the rule collection — a simple audit only rule will suffice.
|
||||
For example:
|
||||
|
||||
```code
|
||||
```xml
|
||||
<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
|
||||
<FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
|
||||
<Conditions>
|
||||
@ -124,7 +124,7 @@ In order to enable trust for the binaries laid down by managed installers, the E
|
||||
This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption).
|
||||
An example of the managed installer option being set in policy is shown below.
|
||||
|
||||
```code
|
||||
```xml
|
||||
<Rules>
|
||||
<Rule>
|
||||
<Option>Enabled:Unsigned System Integrity Policy</Option>
|
||||
@ -149,7 +149,7 @@ An example of the managed installer option being set in policy is shown below.
|
||||
To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it.
|
||||
Run the following command as an Administrator:
|
||||
|
||||
```code
|
||||
```console
|
||||
appidtel.exe start [-mionly]
|
||||
```
|
||||
|
||||
|
||||
Reference in New Issue
Block a user