deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into endpoint-manager

Browse Source
This commit is contained in:
Joey Caparas 2020-08-11 12:14:43 -07:00
commit 88db8849d1
21 changed files with 221 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -1030,6 +1030,11 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table",

25
windows/client-management/mdm/defender-csp.md
View File

@ -10,11 +10,14 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 10/21/2019
ms.date: 08/11/2020
---
# Defender CSP
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following image shows the Windows Defender configuration service provider in tree format.
@ -399,6 +402,26 @@ Valid values are:
- 1 Enable.
- 0 (default) Disable.
<a href="" id="configuration-supportloglocation"></a>**Configuration/SupportLogLocation**
The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
Data type is string.
Supported operations are Add, Delete, Get, Replace.
Intune Support log location setting UX supports three states:
- Not configured (default) - Does not have any impact on the default state of the device.
- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
- 0 - Disabled. Turns off the Support log location feature.
When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
More details:
- [Microsoft Defender AV diagnostic data](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
- [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices)
<a href="" id="scan"></a>**Scan**
Node that can be used to start a Windows Defender scan on a device.

1
windows/security/threat-protection/TOC.md
View File

@ -296,6 +296,7 @@
#### [Devices list]()
##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md)
##### [Device timeline event flags](microsoft-defender-atp/device-timeline-event-flag.md)
##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md)
#### [Take response actions]()

53
windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
View File

@ -1,53 +0,0 @@
---
title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
ms.reviewer:
description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft Endpoint Configuration Manager integrations.
keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
search.product: Windows 10
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Configure Threat & Vulnerability Management
**Applies to:**
- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft Endpoint Configuration Manager for a seamless collaboration of issue remediation.
### Before you begin
> [!IMPORTANT]
> Threat & Vulnerability Management data currently supports Windows 10 devices. Upgrade to Windows 10 to account for the rest of your devices threat and vulnerability exposure data.</br>
Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager.
>[!WARNING]
>Only Intune and Microsoft Endpoint Configuration Manager enrolled devices are supported in this scenario.</br>
>Use any of the following options to enroll devices in Intune:
>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

44
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
View File

@ -55,13 +55,13 @@ The following steps will guide you through onboarding VDI devices and will highl
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
1. In the navigation pane, select **Settings** > **Onboarding**.
b. Select Windows 10 as the operating system.
1. Select Windows 10 as the operating system.
c. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
1. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
d. Click **Download package** and save the .zip file.
1. Click **Download package** and save the .zip file.
2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
@ -69,34 +69,38 @@ The following steps will guide you through onboarding VDI devices and will highl
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each device: <br>
**For single entry for each device**:<br>
a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
**For single entry for each device**:
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
1. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
> [!NOTE]
> If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
>[!NOTE]
>Domain Group Policy may also be used for onboarding non-persistent VDI devices.
> [!NOTE]
> Domain Group Policy may also be used for onboarding non-persistent VDI devices.
5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
**For single entry for each device**:<br>
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
**For multiple entries for each device**:<br>
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
**For multiple entries for each device**:
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
6. Test your solution:
a. Create a pool with one device.
1. Create a pool with one device.
b. Logon to device.
1. Logon to device.
c. Logoff from device.
1. Logoff from device.
d. Logon to device with another user.
1. Logon to device with another user.
e. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.<br>
1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.<br>
**For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
7. Click **Devices list** on the Navigation pane.
@ -107,7 +111,7 @@ The following steps will guide you through onboarding VDI devices and will highl
As a best practice, we recommend using offline servicing tools to patch golden/master images.<br>
For example, you can use the below commands to install an update while the image remains offline:
```
```console
DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
@ -124,7 +128,7 @@ If offline servicing is not a viable option for your non-persistent VDI environm
2. Ensure the sensor is stopped by running the command below in a CMD window:
```
```console
sc query sense
```
@ -132,7 +136,7 @@ If offline servicing is not a viable option for your non-persistent VDI environm
4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
```
```console
PsExec.exe -s cmd.exe
cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
del *.* /f /s /q

45
windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Microsoft Defender ATP device timeline event flags
description: Use Microsoft Defender ATP device timeline event flags to
keywords: Defender ATP device timeline, event flags
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Defender ATP device timeline event flags
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Event flags in the Microsoft Defender ATP device timeline help you filter and organize specific events when you're investigate potential attacks.
TheMicrosoft Defender ATP device timelineprovides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related.
After you've gone through a device timeline, you can sort, filter, and export the specific events that you flagged.
While navigating the device timeline, you can search and filter for specific events. You can set event flags by:
- Highlighting the most important events
- Marking events that requires deep dive
- Building a clean breach timeline
## Flag an event
1. Find the event that you want to flag
2. Click the flag icon in the Flag column.
![Image of device timeline flag](images/device-flags.png)
## View flagged events
1. In the timeline **Filters** section, enable **Flagged events**.
2. Click **Apply**. Only flagged events are displayed.
You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.
![Image of device timeline flag with filter on](images/device-flag-filter.png)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/device-flag-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/device-flags.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

23
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
View File

@ -20,10 +20,8 @@ ms.topic: conceptual
# Intune-based deployment for Microsoft Defender ATP for Mac
> [!NOTE]
> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and dfeploy the application and send it down to macOS devices.
> This blog post explains the new features: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995
> To configure the app go here: https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos
> To deploy the app go here: https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos
> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices. <br> <br>
>The blog post [MEM simplifies deployment of Microsoft Defender ATP for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender ATP for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender ATP to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos).
**Applies to:**
@ -66,15 +64,24 @@ Download the installation and onboarding packages from Microsoft Defender Securi
4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
6. From a command prompt, verify that you have the three files.
Extract the contents of the .zip files:
```bash
ls -l
```
```Output
total 721688
-rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
```
7. Extract the contents of the .zip files:
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
```
```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
@ -82,16 +89,18 @@ Download the installation and onboarding packages from Microsoft Defender Securi
inflating: jamf/WindowsDefenderATPOnboarding.plist
```
7. Make IntuneAppUtil an executable:
8. Make IntuneAppUtil an executable:
```bash
chmod +x IntuneAppUtil
```
8. Create the wdav.pkg.intunemac package from wdav.pkg:
9. Create the wdav.pkg.intunemac package from wdav.pkg:
```bash
./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
```
```Output
Microsoft Intune Application Utility for Mac OS X
Version: 1.0.0.0
Copyright 2018 Microsoft Corporation

18
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
View File

@ -24,7 +24,7 @@ ms.date: 04/10/2020
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
This article describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
1. [Create JAMF policies](#create-jamf-policies)
@ -64,14 +64,22 @@ Download the installation and onboarding packages from Microsoft Defender Securi
3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
5. From the command prompt, verify that you have the two files.
```bash
ls -l
```
```Output
total 721160
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
```
6. Extract the contents of the .zip files like so:
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
```
```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
@ -283,6 +291,9 @@ You can monitor policy installation on a device by following the JAMF log file:
```bash
tail -f /var/log/jamf.log
```
```Output
Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
@ -296,6 +307,9 @@ You can also check the onboarding status:
```bash
mdatp --health
```
```Output
...
licensed : true
orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"

2
windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
View File

@ -748,6 +748,8 @@ The property list must be a valid *.plist* file. This can be checked by executin
```bash
plutil -lint com.microsoft.wdav.plist
```
```Output
com.microsoft.wdav.plist: OK
```

16
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -31,6 +31,9 @@ If you can reproduce a problem, increase the logging level, run the system for s
```bash
mdatp --log-level verbose
```
```Output
Creating connection to daemon
Connection established
Operation succeeded
@ -42,6 +45,8 @@ If you can reproduce a problem, increase the logging level, run the system for s
```bash
sudo mdatp --diagnostic --create
```
```Output
Creating connection to daemon
Connection established
```
@ -50,6 +55,8 @@ If you can reproduce a problem, increase the logging level, run the system for s
```bash
mdatp --log-level info
```
```Output
Creating connection to daemon
Connection established
Operation succeeded
@ -105,7 +112,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
To enable autocompletion in `Bash`, run the following command and restart the Terminal session:
```bash
$ echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile
echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile
```
To enable autocompletion in `zsh`:
@ -113,20 +120,21 @@ To enable autocompletion in `zsh`:
- Check whether autocompletion is enabled on your device:
```zsh
$ cat ~/.zshrc | grep autoload
cat ~/.zshrc | grep autoload
```
- If the above command does not produce any output, you can enable autocompletion using the following command:
```zsh
$ echo "autoload -Uz compinit && compinit" >> ~/.zshrc
echo "autoload -Uz compinit && compinit" >> ~/.zshrc
```
- Run the following command to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
```zsh
sudo mkdir -p /usr/local/share/zsh/site-functions
```
```zsh
sudo ln -svf "/Applications/Microsoft Defender ATP.app/Contents/Resources/Tools/mdatp_completion.zsh" /usr/local/share/zsh/site-functions/_mdatp
```

2
windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
View File

@ -70,6 +70,8 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
```bash
launchctl load /Library/LaunchDaemons/<your file name.plist>
```
```bash
launchctl start <your file name>
```

6
windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
View File

@ -31,7 +31,8 @@ While we do not display an exact error to the end user, we keep a log file with
```bash
sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
```
```Output
preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
@ -49,6 +50,7 @@ You can verify that an installation happened and analyze possible errors by quer
```bash
grep '^2020-03-11 13:08' /var/log/install.log
```
```Output
log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog
```

38
windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
View File

@ -23,18 +23,20 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac.
This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac.
Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device.
If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it:
If you did not approve the kernel extension during the deployment/installation of Microsoft Defender ATP for Mac, the application displays a banner prompting you to enable it:
![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png)
You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device.
You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
```bash
mdatp --health
```
```Output
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
@ -60,10 +62,13 @@ If you don't see this prompt, it means that 30 or more minutes have passed, and
In this case, you need to perform the following steps to trigger the approval flow again.
1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again.
1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device. However, it will trigger the approval flow again.
```bash
sudo kextutil /Library/Extensions/wdavkext.kext
```
```Output
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
@ -75,16 +80,19 @@ In this case, you need to perform the following steps to trigger the approval fl
4. In Terminal, install the driver again. This time the operation will succeed:
```bash
sudo kextutil /Library/Extensions/wdavkext.kext
```
```bash
sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
```bash
mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
```
```bash
mdatp --health
```
```Output
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
```

25
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -27,19 +27,19 @@ ms.topic: conceptual
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
Watch this video for a quick overview of threat and vulnerability management.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
## Next-generation capabilities
## Bridging the workflow gaps
Threat and vulnerability management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
Threat and vulnerability management is built in, real time, and cloud powered. It's fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager.
Vulnerability management is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. Create a security task or ticket by integrating with Microsoft Intune and Microsoft Endpoint Configuration Manager.
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
It provides the following solutions to frequently cited gaps across security operations, security administration, and IT administration workflows and communication:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Linked device vulnerability and security configuration assessment data in the context of exposure discovery
@ -47,7 +47,9 @@ It provides the following solutions to frequently-cited gaps across security ope
### Real-time discovery
To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead.
It also provides:
- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
@ -56,10 +58,10 @@ To discover endpoint vulnerabilities and misconfiguration, threat and vulnerabil
### Intelligence-driven prioritization
Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management highlights the most critical weaknesses that need attention. It fuses security recommendations with dynamic threat and business context:
- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations. It focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk.
- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization.
- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows threat and vulnerability management to identify the exposed devices with business-critical applications, confidential data, or high-value users.
### Seamless remediation
@ -95,13 +97,14 @@ Ensure that your devices:
> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the device page
- Are tagged or marked as co-managed
## APIs
Run threat and vulnerability management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
See the following topics for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)

34
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
View File

@ -1,6 +1,6 @@
---
title: Event timeline in threat and vulnerability management
description: Event timeline is a "risk news feed" which will help you interpret how risk is introduced into the organization and which mitigations happened to reduce it.
description: Event timeline is a "risk news feed" that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it.
keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -23,9 +23,7 @@ ms.topic: conceptual
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Event timeline is a risk news feed which helps you interpret how risk, through new vulnerabilities or exploits, is introduced into the organization. You can view events which may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was addd to an exploit kit, and more.
Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more.
Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
@ -34,7 +32,7 @@ Event timeline also tells the story of your [exposure score](tvm-exposure-score.
You can access Event timeline mainly through three ways:
- In the threat and vulnerability management navigation menu in the Microsoft Defender Security Center
- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most machines or critical vulnerabilities)
- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most devices or critical vulnerabilities)
- Hovering over the Exposure Score graph in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md)
### Navigation menu
@ -43,17 +41,17 @@ Go to the threat and vulnerability management navigation menu and select **Event
### Top events card
In the Tthreat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
In the threat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
![Event timeline page](images/tvm-top-events-card.png)
### Exposure score graph
In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your machines. If there are no events, then none will be shown.
In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your devices. If there are no events, then none will be shown.
![Event timeline page](images/tvm-event-timeline-exposure-score400.png)
Selecting **Show all events from this day** will lead you to the Event timeline page with a pre-populated custom date range for that day.
Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day.
![Event timeline page](images/tvm-event-timeline-drilldown.png)
@ -63,12 +61,12 @@ Select **Custom range** to change the date range to another custom one, or a pre
## Event timeline overview
On the Event timeline page, you can view the all the necesssary info related to an event.
On the Event timeline page, you can view the all the necessary info related to an event.
Features:
- Customize columns
- Filter by event type or percent of impacted machines
- Filter by event type or percent of impacted devices
- View 30, 50, or 100 items per page
The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.
@ -76,15 +74,15 @@ The two large numbers at the top of the page show the number of new vulnerabilit
![Event timeline page](images/tvm-event-timeline-overview-mixed-type.png)
>[!NOTE]
>New configuration assessments are coming soon.
>Event type called "New configuration assessment" coming soon.
### Columns
- **Date**: month, day, year
- **Event**: impactful event, including component, type, and number of impacted machines
- **Event**: impactful event, including component, type, and number of impacted devices
- **Related component**: software
- **Originally impacted machines**: the number, and percentage, of impacted machines when this event originally occurred. You can also filter by the percent of originally impacted machines, out of your total number of machines.
- **Currently impacted machines**: the current number, and percentage, of machines that this event currently impacts. You can find this field by selecting **Customize columns**.
- **Originally impacted devices**: the number, and percentage, of impacted devices when this event originally occurred. You can also filter by the percent of originally impacted devices, out of your total number of devices.
- **Currently impacted devices**: the current number, and percentage, of devices that this event currently impacts. You can find this field by selecting **Customize columns**.
- **Types**: reflect time-stamped events that impact the score. They can be filtered.
- Exploit added to an exploit kit
- Exploit was verified
@ -103,13 +101,13 @@ The following icons show up next to events:
### Drill down to a specific event
Once you select an event, a flyout will appear listing the details and current CVEs that affect your machines. You can show more CVEs or view the related recommendation.
Once you select an event, a flyout will appear with a list of the details and current CVEs that affect your devices. You can show more CVEs or view the related recommendation.
The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means machines are more vulnerable to exploitation.
The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means devices are more vulnerable to exploitation.
![Event timeline flyout](images/tvm-event-timeline-flyout500.png)
From there, select **Go to related security recommendation** to go to the [security recommendations page](tvm-security-recommendation.md) and the recommendation that will address the new software vulnerability. After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).
From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).
## View Event timelines in software pages
@ -119,7 +117,7 @@ A full page will appear with all the details of a specific software. Mouse over
![Software page with an Event timeline graph](images/tvm-event-timeline-software2.png)
You can also navigate to the event timeline tab to view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
Navigate to the event timeline tab to view all the events related to that software. You can also see security recommendations, discovered vulnerabilities, installed devices, and version distribution.
![Software page with an Event timeline tab](images/tvm-event-timeline-software-pages.png)

4
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -1,6 +1,6 @@
---
title: Scenarios - threat and vulnerability management
description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate in defending against security threats.
description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate.
keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -52,7 +52,7 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
## Define a device's value to the organization
Defining a devices value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation, so devices marked as “high value” will receive more weight.
Defining a devices value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight.
Device value options:

8
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -32,9 +32,9 @@ Threat and vulnerability management is a component of Microsoft Defender ATP, an
You can use the threat and vulnerability management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
- View exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices
- View you exposure score and Microsoft Secure Score for Devices, along with top security recommendations, software vulnerability, remediation activities, and exposed devices
- Correlate EDR insights with endpoint vulnerabilities and process them
- Select remediation options, triage and track the remediation tasks
- Select remediation options to triage and track the remediation tasks
- Select exception options and track active exceptions
> [!NOTE]
@ -57,7 +57,7 @@ Area | Description
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
## Threat and vulnerability management dashboard
@ -66,7 +66,7 @@ Area | Description
:---|:---
**Selected device groups (#/#)** | Filter the threat and vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the threat and vulnerability management pages.
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.

4
windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
View File

@ -27,7 +27,7 @@ ms.topic: article
Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
>[!NOTE]
>Operating systems supported by Microsoft Defender ATP are not necessarily supported by threat and vulnerability management (like MacOS and Linux).
>The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
Operating system | Security assessment support
:---|:---
@ -42,8 +42,6 @@ Windows Server 2019 | Operating System (OS) vulnerabilities<br/>Software product
MacOS | Not supported (planned)
Linux | Not supported (planned)
Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
## Related topics
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)

6
windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
View File

@ -1,6 +1,6 @@
---
title: Open the Group Policy Management Console to Windows Firewall with Advanced Security (Windows 10)
description: Open the Group Policy Management Console to Windows Firewall with Advanced Security
title: Group Policy Management of Windows Firewall with Advanced Security (Windows 10)
description: Group Policy Management of Windows Firewall with Advanced Security
ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98
ms.reviewer:
ms.author: dansimp
@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
# Open the Group Policy Management Console to Windows Firewall with Advanced Security
# Group Policy Management of Windows Firewall with Advanced Security
**Applies to**
- Windows 10