`.
- To activate online, type `slmgr.vbs /ato`.
-- To activate by telephone , follow these steps:
+- To activate by telephone, follow these steps:
1. Run `slmgr.vbs /dti` and confirm the installation ID.
2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
@@ -59,51 +63,51 @@ To activate , use the slmgr.vbs command. Open an elevated command prompt and run
For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
## Key Management Service in Windows Server 2012 R2
+
Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
-**Note**
-You cannot install a client KMS key into the KMS in Windows Server.
+> [!NOTE]
+> You cannot install a client KMS key into the KMS in Windows Server.
This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
-**Note**
+> [!NOTE]
+> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
-If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
-
-**Configure KMS in Windows Server 2012 R2**
+### Configure KMS in Windows Server 2012 R2
1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 4.
-
- **Figure 4**. Adding the Volume Activation Services role in Server Manager\
-
+
+ **Figure 4**. Adding the Volume Activation Services role in Server Manager
+
4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
-
+
**Figure 5**. Launching the Volume Activation Tools
- 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
+5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
-
+
-
+
**Figure 6**. Configuring the computer as a KMS host
-
-5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
+
+6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
-
+
**Figure 7**. Installing your KMS host key
-
-6. If asked to confirm replacement of an existing key, click **Yes**.
-7. After the product key is installed, you must activate it. Click **Next** (Figure 8).
+
+7. If asked to confirm replacement of an existing key, click **Yes**.
+8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
-
+
**Figure 8**. Activating the software
The KMS key can be activated online or by phone. See Figure 9.
@@ -123,25 +127,27 @@ You can verify KMS volume activation from the KMS host server or from the client
To verify that KMS volume activation works, complete the following steps:
-1. On the KMS host, open the event log and confirm that DNS publishing is successful.
-2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
-The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
-3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.
+1. On the KMS host, open the event log and confirm that DNS publishing is successful.
+2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
-The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+ The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
+3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
-For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
+ The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+
+For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
## Key Management Service in earlier versions of Windows
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
-1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
-2. Request a new KMS host key from the Volume Licensing Service Center.
-3. Install the new KMS host key on your KMS host.
-4. Activate the new KMS host key by running the slmgr.vbs script.
+1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
+2. Request a new KMS host key from the Volume Licensing Service Center.
+3. Install the new KMS host key on your KMS host.
+4. Activate the new KMS host key by running the slmgr.vbs script.
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 5152af65fe..45619726e9 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -19,24 +19,26 @@ ms.topic: article
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
-**Note**
-VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+> [!NOTE]
+> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
## In this Topic
-- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
-- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
-- [Enterprise Environment](#bkmk-enterpriseenvironment)
-- [VAMT User Interface](#bkmk-userinterface)
+
+- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
+- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
+- [Enterprise Environment](#bkmk-enterpriseenvironment)
+- [VAMT User Interface](#bkmk-userinterface)
## Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
-- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+
+- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
## Managing Key Management Service (KMS) Activation
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
## Enterprise Environment
@@ -55,13 +57,13 @@ The following screenshot shows the VAMT graphical user interface.
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
-- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
-- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
-- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
-- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+
+- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
+- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
## Related topics
+
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 1b9bb407c6..25ef07d002 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,4 +1,4 @@
-# [Windows 10](index.md)
+# [Windows 10](index.yml)
## [What's new](/windows/whats-new)
## [Release information](/windows/release-information)
## [Deployment](/windows/deployment)
diff --git a/windows/hub/index.md b/windows/hub/index.md
deleted file mode 100644
index b34eb9cf48..0000000000
--- a/windows/hub/index.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Windows 10
-description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
-ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
-ms.prod: w10
-ms.localizationpriority: high
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.reviewer: dansimp
-manager: dansimp
----
-
-# Windows 10
-
-Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
-
-
-
-## Check out [what's new in Windows 10, version 2004](/windows/whats-new/whats-new-windows-10-version-2004).
-
-
-
->[!TIP]
-> Looking for information about older versions of Windows? Check out our other [Windows libraries](/previous-versions/windows/) on docs.microsoft.com. You can also search this site to find specific information, like this [Windows 8.1 content](https://docs.microsoft.com/search/index?search=Windows+8.1&dataSource=previousVersions).
-
-## Get to know Windows as a Service (WaaS)
-
-The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
-
-These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
-
-- [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
\ No newline at end of file
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
new file mode 100644
index 0000000000..0ac1aa5523
--- /dev/null
+++ b/windows/hub/index.yml
@@ -0,0 +1,115 @@
+### YamlMime:Landing
+
+title: Windows 10 resources and documentation for IT Pros # < 60 chars
+summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars
+
+metadata:
+ title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+ services: windows-10
+ ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.subservice: subservice
+ ms.topic: landing-page # Required
+ ms.collection: windows-10
+ author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
+ ms.author: greglin #Required; microsoft alias of author; optional team alias.
+ ms.date: 09/23/2020 #Required; mm/dd/yyyy format.
+ localization_priority: medium
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What's new in Windows 10, version 2004
+ url: /windows/whats-new/whats-new-windows-10-version-2004
+ - text: What's new in Windows 10, version 1909
+ url: /windows/whats-new/whats-new-windows-10-version-1909
+ - text: What's new in Windows 10, version 1903
+ url: /windows/whats-new/whats-new-windows-10-version-1903
+ - text: Windows 10 release information
+ url: https://docs.microsoft.com/windows/release-information/
+
+ # Card (optional)
+ - title: Configuration
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Configure Windows 10
+ url: /windows/configuration/index
+ - text: Accesasibility information for IT Pros
+ url: /windows/configuration/windows-10-accessibility-for-itpros
+ - text: Configure access to Microsoft Store
+ url: /windows/configuration/stop-employees-from-using-microsoft-store
+ - text: Set up a shared or guest PC
+ url: /windows/configuration/set-up-shared-or-guest-pc
+
+ # Card (optional)
+ - title: Deployment
+ linkLists:
+ - linkListType: deploy
+ links:
+ - text: Deploy and update Windows 10
+ url: /windows/deployment/index
+ - text: Windows 10 deployment scenarios
+ url: /windows/deployment/windows-10-deployment-scenarios
+ - text: Create a deployment plan
+ url: /windows/deployment/update/create-deployment-plan
+ - text: Prepare to deploy Windows 10
+ url: /windows/deployment/update/prepare-deploy-windows
+
+
+ # Card
+ - title: App management
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Windows 10 application management
+ url: /windows/application-management/index
+ - text: Understand the different apps included in Windows 10
+ url: /windows/application-management/apps-in-windows-10
+ - text: Get started with App-V for Windows 10
+ url: /windows/application-management/app-v/appv-getting-started
+ - text: Keep removed apps from returning during an update
+ url: /windows/application-management/remove-provisioned-apps-during-update
+
+ # Card
+ - title: Client management
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Windows 10 client management
+ url: /windows/client-management/index
+ - text: Administrative tools in Windows 10
+ url: /windows/client-management/administrative-tools-in-windows-10
+ - text: Create mandatory user profiles
+ url: /windows/client-management/mandatory-user-profile
+ - text: New policies for Windows 10
+ url: /windows/client-management/new-policies-for-windows-10
+
+ # Card (optional)
+ - title: Security and Privacy
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Windows 10 Enterprise Security
+ url: /windows/security/index
+ - text: Windows Privacy
+ url: /windows/privacy/index
+ - text: Identity and access management
+ url: /windows/security/identity-protection/index
+ - text: Threat protection
+ url: /windows/security/threat-protection/index
+ - text: Information protection
+ url: /windows/security/information-protection/index
+ - text: Required diagnostic data
+ url: /windows/privacy/required-windows-diagnostic-data-events-and-fields-2004
+ - text: Optional diagnostic data
+ url: /windows/privacy/windows-diagnostic-data
+ - text: Changes to Windows diagnostic data collection
+ url: /windows/privacy/changes-to-windows-diagnostic-data-collection
diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml
deleted file mode 100644
index 822259efbd..0000000000
--- a/windows/hub/windows-10.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10
-metadata:
- title: Windows 10
- description: Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: medium
- author: lizap
- ms.author: elizapo
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
- "
-- title: Explore
-- items:
- - type: markdown
- text: "
- Get started with Windows 10. Evaluate free for 90 days and set up virtual labs to test a proof of concept.
- 
**Download a free 90-day evaluation**
Try the latest features. Test your apps, hardware, and deployment strategies.
Start evaluation | 
**Get started with virtual labs**
Try setup, deployment, and management scenarios in a virtual environment, with no additional software or setup required.
See Windows 10 labs | 
**Conduct a proof of concept**
Download a lab environment with MDT, Configuration Manager, Windows 10, and more.
Get deployment kit |
-
- "
-- title: What's new
-- items:
- - type: markdown
- text: "
- Learn about the latest releases and servicing options.
-
- "
-- title: Frequently asked questions
-- items:
- - type: markdown
- text: "
- Get answers to common questions, or get help with a specific problem.
-
- "
-- title: Plan
-- items:
- - type: markdown
- text: "
- Prepare to deploy Windows 10 in your organization. Explore deployment methods, compatibility tools, and servicing options.
-
- "
-- title: Deploy
-- items:
- - type: markdown
- text: "
- Download recommended tools and get step-by-step guidance for in-place upgrades, dynamic provisioning, or traditional deployments.
-
- "
-- title: Management and security
-- items:
- - type: markdown
- text: "
- Learn how to manage Windows 10 clients and apps, secure company data, and manage risk.
-
- "
-- title: Stay informed
-- items:
- - type: markdown
- text: "
- Stay connected with Windows 10 experts, your colleagues, business trends, and IT pro events.
- 
**Sign up for the Windows IT Pro Insider**
Find out about new resources and get expert tips and tricks on deployment, management, security, and more.
Learn more | 
**Follow us on Twitter**
Keep up with the latest desktop and device trends, Windows news, and events for IT pros.
Visit Twitter | 
**Join the Windows Insider Program for Business**
Get early access to new builds and provide feedback on the latest features and functionalities.
Get started |
-
- "
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 48f324427e..b14254b22a 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -186,7 +186,7 @@ This group includes all domain controllers in an Active Directory forest. Domain
All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
-On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).
+On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
Membership is controlled by the operating system.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 8a785dcf5f..a0855330fb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -95,8 +95,7 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
-> * The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store.
-> * If you are using a 3rd party CA, add the certificate to the NTAuth store. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
+> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
### Enrollment Agent certificate template
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index ce98019039..3bd0bbe112 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -39,7 +39,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
2. Click the **Users** container in the navigation pane.
3. Right-click **Key Admins** in the details pane and click **Properties**.
4. Click the **Members** tab and click **Add**
-5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**.
+5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**.
6. Click **OK** to return to **Active Directory Users and Computers**.
### Section Review
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 73946540c5..d27fae3822 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -458,7 +458,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
Value format without proxy:
```console
-contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
+contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com,
```
### Protected domains
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 0de8771fac..9af557f950 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -59,7 +59,7 @@ To help address this security insufficiency, companies developed data loss preve
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
+Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
@@ -90,7 +90,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+ - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 3cdf54c1ec..ee1f4abf88 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -256,9 +256,17 @@
#### [Resources](microsoft-defender-atp/mac-resources.md)
+
+
### [Microsoft Defender Advanced Threat Protection for iOS]()
#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
+#### [Deploy]()
+##### [App-based deployment](microsoft-defender-atp/ios-install.md)
+
+#### [Configure]()
+##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
+
### [Microsoft Defender Advanced Threat Protection for Linux]()
#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
@@ -536,6 +544,7 @@
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
+####### [Set device value](microsoft-defender-atp/set-device-value.md)
###### [Machine Action]()
####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
@@ -700,7 +709,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
-
+#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index ca821701f2..8d013685ee 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -1,7 +1,7 @@
---
title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
> [!NOTE]
> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
@@ -54,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
> [!NOTE]
-> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
+> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
@@ -78,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation
Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
-When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
+When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
```Dos
\\MpSupport--.cab
@@ -86,13 +86,30 @@ When the SupportLogLocation parameter is used, a folder structure as below will
| field | Description |
|:----|:----|
-| path | The path as specified on the commandline or retrieved from configuration
-| MMDD | Month Day when the diagnostic data was collected (eg 0530)
-| hostname | the hostname of the device on which the diagnostic data was collected.
-| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
+| path | The path as specified on the command line or retrieved from configuration
+| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
+| hostname | The hostname of the device on which the diagnostic data was collected
+| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
> [!NOTE]
-> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.
+> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
+
+## Specify location where diagnostic data is created
+
+You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO).
+
+1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
+
+1. Select **Define the directory path to copy support log files**.
+
+ 
+
+ 
+3. Inside the policy editor, select **Enabled**.
+
+4. Specify the directory path where you want to copy the support log files in the **Options** field.
+ 
+5. Select **OK** or **Apply**.
## See also
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 93b12016f3..ee3e692d4a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -59,8 +59,8 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif
Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
->[!NOTE]
->If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
+> [!NOTE]
+> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
## Use PowerShell to configure scanning options
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png
new file mode 100644
index 0000000000..7f5019db43
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png
new file mode 100644
index 0000000000..f93b4ad4dc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png
new file mode 100644
index 0000000000..bf839465f9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png
new file mode 100644
index 0000000000..6d5d59ee31
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 514ee0334b..d1cb0e3d28 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
-ms.date: 09/10/2020
+ms.date: 10/06/2020
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@@ -33,39 +33,99 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
> [!IMPORTANT]
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-> [!NOTE]
+>
> You can use the below URL to find out what are the current versions:
> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info)
## Security intelligence updates
-Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
+Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
-The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
+> [!NOTE]
+> Updates are released under the below KB numbers:
+> Microsoft Defender Antivirus: KB2267602
+> System Center Endpoint Protection: KB2461484
-Engine updates are included with the security intelligence updates and are released on a monthly cadence.
+Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
+
+Engine updates are included with security intelligence updates and are released on a monthly cadence.
## Product updates
-Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as *platform updates*), and will receive major feature updates alongside Windows 10 releases.
+
+You can manage the distribution of updates through one of the following methods:
+
+- [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus)
+- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction)
+- The usual method you use to deploy Microsoft and Windows updates to endpoints in your network.
-You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
> [!NOTE]
-> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server.
+> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.
## Monthly platform and engine versions
-For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
+For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
All our updates contain:
-* performance improvements
-* serviceability improvements
-* integration improvements (Cloud, MTP)
+- performance improvements
+- serviceability improvements
+- integration improvements (Cloud, Microsoft 365 Defender)
+ September-2020 (Platform: 4.18.2009.x | Engine: 1.1.17500.4)
+
+ Security intelligence update version: **1.323.2254.0**
+ Released: **October 6, 2020**
+ Platform: **4.18.2009.x**
+ Engine: **1.1.17500.4**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Admin permissions are required to restore files in quarantine
+- XML formatted events are now supported
+- CSP support for ignoring exclusion merge
+- New management interfaces for:
+ - UDP Inspection
+ - Network Protection on Server 2019
+ - IP Address exclusions for Network Protection
+- Improved visibility into TPM measurements
+- Improved Office VBA module scanning
+
+### Known Issues
+No known issues
+
+
+
+
+
+ September-2020 (Platform: 4.18.2009.X | Engine: 1.1.17500.4)
+
+ Security intelligence update version: **1.325.10.0**
+ Released: **October 01, 2020**
+ Platform: **4.18.2009.X**
+ Engine: **1.1.17500.4**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+- Admin permissions are required to restore files in quarantine
+- XML formatted events are now supported
+- CSP support for ignoring exclusion merge
+- New management interfaces for:
+ - UDP Inspection
+ - Network Protection on Server 2019
+ - IP Address exclusions for Network Protection
+- Improved visibility into TPM measurements
+- Improved Office VBA module scanning
+
+### Known Issues
+No known issues
+
+
+
August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
Security intelligence update version: **1.323.9.0**
@@ -79,7 +139,7 @@ All our updates contain:
* Improved scan event telemetry
* Improved behavior monitoring for memory scans
* Improved macro streams scanning
-* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
+* Added `AMRunningMode` to Get-MpComputerStatus PowerShell CmdLet
### Known Issues
No known issues
@@ -111,7 +171,7 @@ No known issues
Released: **June 22, 2020**
Platform: **4.18.2006.10**
Engine: **1.1.17200.2**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade Support (Only)**
### What's new
* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
@@ -159,7 +219,7 @@ No known issues
### What's new
* WDfilter improvements
-* Add more actionable event data to ASR detection events
+* Add more actionable event data to attack surface reduction detection events
* Fixed version information in diagnostic data and WMI
* Fixed incorrect platform version in UI after platform update
* Dynamic URL intel for Fileless threat protection
@@ -184,7 +244,7 @@ No known issues
* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
* Improve diagnostic capability
-* reduce Security intelligence timeout (5min)
+* reduce Security intelligence timeout (5 min)
* Extend AMSI engine internal log capability
* Improve notification for process blocking
@@ -264,8 +324,7 @@ When this update is installed, the device needs the jump package 4.10.2001.10 to
## Microsoft Defender Antivirus platform support
-As stated above, platform and engine updates are provided on a monthly cadence.
-Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version:
+Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
@@ -293,12 +352,12 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
-## In this section
+## See also
Article | Description
---|---
[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
-[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
+[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next logon.
[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index e598e1bbce..74c6ee2735 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
-ms.date: 08/26/2020
+ms.date: 09/28/2020
---
# Microsoft Defender Antivirus compatibility
@@ -94,6 +94,8 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
> [!WARNING]
> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> [!IMPORTANT]
+> If you are using [Microsoft endpoint data loss prevention (Endpoint DLP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index c3358561d8..7bf4c22d0e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -64,6 +64,9 @@ See [Prevent users from locally modifying policy settings](configure-local-polic
You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+> [!NOTE]
+> This setting is not supported on Windows 10.
+
### Use Group Policy to prevent users from pausing a scan
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index c83b6725b3..da893a1b8a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
---
@@ -25,15 +25,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
+After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
-## Use Microsoft Intune to review scan results
-
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
-
-2. Click the scan results in **Device actions status**.
-
## Use Configuration Manager to review scan results
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
@@ -46,7 +40,7 @@ The following cmdlet will return each detection on the endpoint. If there are mu
Get-MpThreatDetection
```
-
+
You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
@@ -56,7 +50,7 @@ If you want to list threat detections, but combine detections of the same threat
Get-MpThreat
```
-
+
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index 2a04fdb15b..f176529dde 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 07/22/2020
+ms.date: 09/30/2020
ms.reviewer:
manager: dansimp
---
@@ -28,14 +28,13 @@ manager: dansimp
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
-
In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-To configure the Group Policy settings described in this topic:
+## To configure the Group Policy settings described in this article
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -201,7 +200,7 @@ Scan | Specify the time for a daily quick scan | Specify the number of minutes a
Use the following cmdlets:
```PowerShell
-Set-MpPreference -ScanScheduleQuickTime
+Set-MpPreference -ScanScheduleQuickScanTime
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
@@ -229,9 +228,7 @@ Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
-## Related topics
-
-
+## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
new file mode 100644
index 0000000000..09535418a1
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
@@ -0,0 +1,134 @@
+---
+title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
+description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
+keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+author: martyav
+ms.author: v-maave
+ms.custom: nextgen
+ms.date: 09/11/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
+
+## Review event logs
+
+Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
+
+Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
+
+From there, select **Open** underneath **Operational**.
+
+Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs.
+
+## Microsoft Defender Antivirus won't start
+
+This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
+
+### Associated event IDs
+
+ Event ID | Log name | Description | Source
+-|-|-|-
+15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center
+5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
**Old value:** Default\IsServiceRunning = 0x0
**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
+5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
+
+### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
+
+On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
+
+> [!TIP]
+> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
+
+#### Use Services app to check if Microsoft Defender Antivirus is turned off
+
+To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
+
+Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
+
+While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
+
+This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
+
+#### Generate a detailed report
+
+You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
+
+```powershell
+GPresult.exe /h gpresult.html
+```
+
+This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
+
+##### Group policy results
+
+##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)
+
+Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
+
+Policy | Setting | Winning GPO
+-|-|-
+Turn off Windows Defender Antivirus | Enabled | Win10-Workstations
+
+###### If security settings are implemented via Group policy preference (GPP)
+
+Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
+
+DisableAntiSpyware | -
+-|-
+Winning GPO | Win10-Workstations
+Result: Success |
+**General** |
+Action | Update
+**Properties** |
+Hive | HKEY_LOCAL_MACHINE
+Key path | SOFTWARE\Policies\Microsoft\Windows Defender
+Value name | DisableAntiSpyware
+Value type | REG_DWORD
+Value data | 0x1 (1)
+
+###### If security settings are implemented via registry key
+
+The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:
+
+> Registry (regedit.exe)
+>
+> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
+> DisableAntiSpyware (dword) 1 (hex)
+
+###### If security settings are set in Windows or your Windows Server image
+
+Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
+
+### Turn Microsoft Defender Antivirus back on
+
+Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
+
+> [!WARNING]
+> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
+
+Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
+
+Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
+
+> [!IMPORTANT]
+> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
+
+### See also
+
+* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
+* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 761dd08cfa..1a87a09ee4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -10,8 +10,8 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
+ms.date: 10/01/2018
+ms.reviewer: ksarens
manager: dansimp
---
@@ -96,7 +96,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r
Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10)
Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 372d0b750f..b3bb7867ee 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -22,7 +22,8 @@ Answering frequently asked questions about Microsoft Defender Application Guard
## Frequently Asked Questions
-### Can I enable Application Guard on machines equipped with 4GB RAM? |
+### Can I enable Application Guard on machines equipped with 4GB RAM?
+
We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)
@@ -87,7 +88,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
@@ -95,88 +96,8 @@ Yes, both the enterprise resource domains hosted in the cloud and the domains ca
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
-
-### Why do the network isolation policies in Group Policy and CSP look different?
-
-There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
-
-Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
-Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
-For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements.
-
-### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
-
-Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
-
-### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
-
-This is a known issue. To mitigate this you need to create two firewall rules.
-For guidance on how to create a firewall rule by using group policy, see:
-- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
-- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
-
-First rule (DHCP Server):
-1. Program path: `%SystemRoot%\System32\svchost.exe`
-2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess))
-3. Protocol UDP
-4. Port 67
-
-Second rule (DHCP Client)
-This is the same as the first rule, but scoped to local port 68.
-In the Microsoft Defender Firewall user interface go through the following steps:
-1. Right click on inbound rules, create a new rule.
-2. Choose **custom rule**.
-3. Program path: **%SystemRoot%\System32\svchost.exe**.
-4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
-5. Any IP addresses.
-6. Allow the connection.
-7. All profiles.
-8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
-
-### Why can I not launch Application Guard when Exploit Guard is enabled?
-
-There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
-
-
-### How can I have ICS in enabled state yet still use Application Guard?
-
-This is a two step process.
-
-Step 1:
-
-Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
-
-Step 2:
-
-1. Disable IpNat.sys from ICS load:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
-2. Configure ICS (SharedAccess) to enabled:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
-3. Disable IPNAT (Optional):
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
-4. Restart the device.
-
-### Why doesn't Application Guard work, even though it's enabled through Group Policy?
-
-Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard).
-To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
-
-For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite.
-
-For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
-
-### I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this?
-
-WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps:
-
-1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
-
-2. Reboot the device.
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 04d381db5b..4acd29aa2d 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -43,8 +43,8 @@ Application Guard has been created to target several types of systems:
## Related articles
-|Article | Description |
-|--------|-------------|
+|Article |Description |
+|------|------------|
|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index d8526c28d0..bca632927a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -14,7 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
+ms.date: 09/24/2020
---
# View details and results of automated investigations
@@ -22,7 +23,7 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
+During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically.
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
@@ -164,5 +165,5 @@ When you click on the pending actions link, you'll be taken to the Action center
- [View and approve remediation actions](manage-auto-investigation.md)
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 8c81015728..d422058827 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -1,22 +1,23 @@
---
title: Use automated investigations to investigate and remediate threats
-description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
+description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
+keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 09/03/2020
+ms.date: 09/30/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.custom: AIR
---
@@ -27,16 +28,16 @@ ms.custom: AIR
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
-Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively.
-Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
+Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
> [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@@ -51,15 +52,15 @@ During and after an automated investigation, you can view details about the inve
|Tab |Description |
|--|--|
-|**Alerts**| Shows the alert that started the investigation.|
-|**Devices** |Shows where the alert was seen.|
-|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
-|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
-|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
+|**Alerts**| The alert(s) that started the investigation.|
+|**Devices** |The device(s) where the threat was seen.|
+|**Evidence** |The entities that were found to be malicious during an investigation.|
+|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
+|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.|
|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
> [!IMPORTANT]
-> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
+> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
## How an automated investigation expands its scope
@@ -69,48 +70,33 @@ If an incriminated entity is seen in another device, the automated investigation
## How threats are remediated
-Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
+Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
> [!NOTE]
-> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.
***This option is recommended** and is selected by default for Microsoft Defender ATP tenants that were created on or after August 16, 2020, and that have no device groups defined.
If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
-|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders are automatically remediated, if needed.|
-|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants that were created before August 16, 2020, and that have no device groups defined.
If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
-|**No automated response** | Devices do not get any automated investigations run on them.
***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
+|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.
***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*
*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
+|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples:
- `\users\*\appdata\local\temp\*`
- `\documents and settings\*\local settings\temp\*`
- `\documents and settings\*\local settings\temporary\*`
- `\windows\temp\*`
- `\users\*\downloads\*`
- `\program files\`
- `\program files (x86)\*`
- `\documents and settings\*\users\*` |
+|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*
*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation.
***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
> [!IMPORTANT]
-> Regarding automation levels and default settings:
-> - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
-> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
-> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**.
-> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
-> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
-> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
-
-
-### A few points to keep in mind
-
-- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-
-- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
-
-- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
+> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
## See also
-- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
+- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
+- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index c5015477eb..6a3872d1b2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -1,10 +1,11 @@
---
title: Configure automated investigation and remediation capabilities
-description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
+description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,20 +15,21 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.topic: article
+ms.date: 09/24/2020
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
---
-# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
+# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
+If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 5408508e47..d8b5e85940 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -29,104 +29,104 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
## Enable the Insider program with Jamf
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
-```XML
-
-
-
-
- edr
-
- earlyPreview
-
-
-
-
-```
+ ```XML
+
+
+
+
+ edr
+
+ earlyPreview
+
+
+
+
+ ```
-b. From the JAMF console, navigate to **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
+1. From the JAMF console, navigate to **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
-c. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
+1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
->[!WARNING]
->You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
+ > [!WARNING]
+ > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
## Enable the Insider program with Intune
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
- ```XML
-
-
-
-
- PayloadUUID
- C4E6A782-0C8D-44AB-A025-EB893987A295
- PayloadType
- Configuration
- PayloadOrganization
- Microsoft
- PayloadIdentifier
- com.microsoft.wdav
- PayloadDisplayName
- Microsoft Defender ATP settings
- PayloadDescription
- Microsoft Defender ATP configuration settings
- PayloadVersion
- 1
- PayloadEnabled
-
- PayloadRemovalDisallowed
-
- PayloadScope
- System
- PayloadContent
-
-
- PayloadUUID
- 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
- PayloadType
- com.microsoft.wdav
- PayloadOrganization
- Microsoft
- PayloadIdentifier
- com.microsoft.wdav
- PayloadDisplayName
- Microsoft Defender ATP configuration settings
- PayloadDescription
-
- PayloadVersion
- 1
- PayloadEnabled
-
- edr
-
- earlyPreview
-
-
-
-
-
-
-```
+ ```XML
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ edr
+
+ earlyPreview
+
+
+
+
+
+
+ ```
-b. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
+1. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
-c. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
+1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-d. Save the .plist created earlier as com.microsoft.wdav.xml.
+1. Save the .plist created earlier as com.microsoft.wdav.xml.
-e. Enter com.microsoft.wdav as the custom configuration profile name.
+1. Enter com.microsoft.wdav as the custom configuration profile name.
-f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
+1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
-g. Select **OK**.
+1. Select **OK**.
-h. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+1. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
->[!WARNING]
->You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
+ > [!WARNING]
+ > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
## Enable the Insider program manually on a single device
@@ -134,7 +134,7 @@ In terminal, run:
```bash
mdatp --edr --early-preview true
- ```
+```
For versions earlier than 100.78.0, run:
@@ -161,4 +161,4 @@ After a successful deployment and onboarding of the correct version, check that
* Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
+If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 1e2be5f01f..e5f5fcad0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -41,7 +41,7 @@ Not all properties are filterable.
Get 10 latest Alerts with related Evidence
-```
+```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
@@ -147,9 +147,9 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
### Example 2
-Get all the alerts last updated after 2019-10-20 00:00:00
+Get all the alerts last updated after 2019-11-22 00:00:00
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
```
@@ -205,7 +205,7 @@ HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTi
Get all the devices with 'High' 'RiskScore'
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
```
@@ -244,7 +244,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
Get top 100 devices with 'HealthStatus' not equals to 'Active'
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
```
@@ -283,7 +283,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStat
Get all the devices that last seen after 2018-10-20
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
@@ -322,7 +322,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
```
@@ -354,7 +354,7 @@ json{
Get the count of open alerts for a specific device:
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png b/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png
new file mode 100644
index 0000000000..fd58d3cb11
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png
new file mode 100644
index 0000000000..a6ff679378
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png
new file mode 100644
index 0000000000..d3e8d67250
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png
new file mode 100644
index 0000000000..0d7aac7dce
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png
new file mode 100644
index 0000000000..ad17cf144e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png
new file mode 100644
index 0000000000..576472cd8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png b/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png
new file mode 100644
index 0000000000..f5448c34d3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png
new file mode 100644
index 0000000000..9fee8307d9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png
new file mode 100644
index 0000000000..dfe09495a2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png
new file mode 100644
index 0000000000..5529575cbe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png
new file mode 100644
index 0000000000..80e4d3cc67
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png
new file mode 100644
index 0000000000..ccd19095f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png
new file mode 100644
index 0000000000..1257677bec
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png
new file mode 100644
index 0000000000..b2d8d02a63
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png
new file mode 100644
index 0000000000..a8777a1764
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png
new file mode 100644
index 0000000000..43bc82f7c6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png
new file mode 100644
index 0000000000..c2aa50f3c4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png
new file mode 100644
index 0000000000..9912030cb6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png
new file mode 100644
index 0000000000..5d9401ae38
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png
new file mode 100644
index 0000000000..3c2c23b1f4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png
new file mode 100644
index 0000000000..4e69457dcb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png
new file mode 100644
index 0000000000..54330f800e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png b/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png
new file mode 100644
index 0000000000..5a2af54c14
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
new file mode 100644
index 0000000000..95350170ab
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
@@ -0,0 +1,47 @@
+---
+title: Configure Microsoft Defender ATP for iOS features
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for iOS features
+keywords: microsoft, defender, atp, ios, configure, features, ios
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Configure Microsoft Defender ATP for iOS features
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+
+## Configure custom indicators
+Microsoft Defender ATP for iOS enables admins to configure custom indicators on
+iOS devices as well. Refer to [Manage
+indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
+on how to configure custom indicators
+
+## Web Protection
+By default, Microsoft Defender ATP for iOS includes and enables the web
+protection feature. [Web
+protection](web-protection-overview.md) helps
+to secure devices against web threats and protect users from phishing attacks.
+
+>[!NOTE]
+>Microsoft Defender ATP for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
new file mode 100644
index 0000000000..d4f6077795
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
@@ -0,0 +1,80 @@
+---
+title: App-based deployment for Microsoft Defender ATP for iOS
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for iOS using an app
+keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# App-based deployment for Microsoft Defender ATP for iOS
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+Microsoft Defender ATP for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
+
+Deployment devices need to be enrolled on Intune Company portal. Refer to
+[Enroll your
+device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
+learn more about Intune device enrollment
+
+## Before you begin
+
+- Ensure you have access to [Microsoft Endpoint manager admin
+ center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+- Ensure iOS enrollment is done for your users. Users need to have Microsoft Defender ATP
+ license assigned in order to use Microsoft Defender ATP for iOS. Refer [Assign licenses to
+ users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
+ for instructions on how to assign licenses.
+
+
+## Deployment steps
+
+To install Microsoft Defender ATP for iOS, end-users can visit
+ on their iOS devices. This link will open the
+TestFlight application on their device or prompt them to install TestFlight. On
+the TestFlight app, follow the onscreen instructions to install Microsoft
+Defender ATP.
+
+
+
+
+## Complete onboarding and check status
+
+1. Once Microsoft Defender ATP for iOS has been installed on the device, you
+ will see the app icon.
+
+ 
+
+2. Tap the Microsoft Defender ATP app icon and follow the on-screen
+ instructions to complete the onboarding steps. The details include end-user
+ acceptance of iOS permissions required by Microsoft Defender ATP for iOS.
+
+3. Upon successful onboarding, the device will start showing up on the Devices
+ list in Microsoft Defender Security Center.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+## Next Steps
+
+[Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index daea53aa5e..db852ca545 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -28,7 +28,8 @@ ms.topic: conceptual
This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Application installation](#application-installation)
+- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions)
+- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
- [Client configuration](#client-configuration)
## Prerequisites and system requirements
@@ -48,7 +49,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
5. From a command prompt, verify that you have the two files.
-## Application installation
+## Application installation (macOS 10.15 and older versions)
To complete this process, you must have admin privileges on the device.
@@ -65,7 +66,7 @@ To complete this process, you must have admin privileges on the device.
-3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
+3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
@@ -77,6 +78,34 @@ To complete this process, you must have admin privileges on the device.
> [!NOTE]
> macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted.
+## Application installation (macOS 11 and newer versions)
+
+To complete this process, you must have admin privileges on the device.
+
+1. Navigate to the downloaded wdav.pkg in Finder and open it.
+
+ 
+
+2. Select **Continue**, agree with the License terms, and enter the password when prompted.
+
+3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
+
+ 
+
+4. From the **Security & Privacy** window, select **Allow**.
+
+ 
+
+5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac.
+
+6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**.
+
+ 
+
+7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.
+
+ 
+
## Client configuration
1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 17f2c90546..d7a00dd754 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -34,6 +34,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through Intune
1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
1. [Client device setup](#client-device-setup)
+1. [Approve system extensions](#approve-system-extensions)
1. [Create System Configuration profiles](#create-system-configuration-profiles)
1. [Publish application](#publish-application)
@@ -48,24 +49,30 @@ The following table summarizes the steps you would need to take to deploy and ma
| Step | Sample file names | BundleIdentifier |
|-|-|-|
| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
+| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)
**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
+
2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
+
4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
+
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
+
6. From a command prompt, verify that you have the three files.
@@ -130,228 +137,116 @@ You do not need any special provisioning for a Mac device beyond a standard [Com
2. Select **Continue** and complete the enrollment.
-You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+ You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
-
+ > [!div class="mx-imgBorder"]
+ > 
+
+## Approve System Extensions
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+
+3. In the `Basics` tab, give a name to this new profile.
+
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+ Bundle identifier | Team identifier
+ --------------------------|----------------
+ com.microsoft.wdav.epsext | UBF8T346G9
+ com.microsoft.wdav.netext | UBF8T346G9
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+
+6. Review and create this configuration profile.
## Create System Configuration profiles
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
+
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
+
4. Select **OK**.
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
6. Repeat steps 1 through 5 for more profiles.
+
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
+
+8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.
> [!CAUTION]
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
>
- > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
+ > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
- ```xml
-
-
-
-
- PayloadDescription
- Allows Microsoft Defender to access all files on Catalina+
- PayloadDisplayName
- TCC - Microsoft Defender
- PayloadIdentifier
- com.microsoft.wdav.tcc
- PayloadOrganization
- Microsoft Corp.
- PayloadRemovalDisallowed
-
- PayloadScope
- system
- PayloadType
- Configuration
- PayloadUUID
- C234DF2E-DFF6-11E9-B279-001C4299FB44
- PayloadVersion
- 1
- PayloadContent
-
-
- PayloadDescription
- Allows Microsoft Defender to access all files on Catalina+
- PayloadDisplayName
- TCC - Microsoft Defender
- PayloadIdentifier
- com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44
- PayloadOrganization
- Microsoft Corp.
- PayloadType
- com.apple.TCC.configuration-profile-policy
- PayloadUUID
- C233A5E6-DFF6-11E9-BDAD-001C4299FB44
- PayloadVersion
- 1
- Services
-
- SystemPolicyAllFiles
-
-
- Allowed
-
- CodeRequirement
- identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
- Comment
- Allow SystemPolicyAllFiles control for Microsoft Defender ATP
- Identifier
- com.microsoft.wdav
- IdentifierType
- bundleID
-
-
-
-
-
-
-
- ```
+9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections.
-9. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
+10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload.
- ```xml
-
-
-
-
- PayloadContent
-
-
- NotificationSettings
-
-
- AlertType
- 2
- BadgesEnabled
-
- BundleIdentifier
- com.microsoft.autoupdate2
- CriticalAlertEnabled
-
- GroupingType
- 0
- NotificationsEnabled
-
- ShowInLockScreen
-
- ShowInNotificationCenter
-
- SoundsEnabled
-
-
-
- AlertType
- 2
- BadgesEnabled
-
- BundleIdentifier
- com.microsoft.wdav.tray
- CriticalAlertEnabled
-
- GroupingType
- 0
- NotificationsEnabled
-
- ShowInLockScreen
-
- ShowInNotificationCenter
-
- SoundsEnabled
-
-
-
- PayloadDescription
-
- PayloadDisplayName
- notifications
- PayloadEnabled
-
- PayloadIdentifier
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadOrganization
- Microsoft
- PayloadType
- com.apple.notificationsettings
- PayloadUUID
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadVersion
- 1
-
-
- PayloadDescription
-
- PayloadDisplayName
- mdatp - allow notifications
- PayloadEnabled
-
- PayloadIdentifier
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadOrganization
- Microsoft
- PayloadRemovalDisallowed
-
- PayloadScope
- System
- PayloadType
- Configuration
- PayloadUUID
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadVersion
- 1
-
-
- ```
-
-10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
-
+> [!div class="mx-imgBorder"]
+> 
## Publish application
1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
+
2. Select **App type=Other/Line-of-business app**.
+
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
+
4. Select **Configure** and add the required information.
+
5. Use **macOS High Sierra 10.13** as the minimum OS.
+
6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
> [!CAUTION]
> Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
>
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy.
-
- 
+
+ > [!div class="mx-imgBorder"]
+ > 
7. Select **OK** and **Add**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
9. Change **Assignment type** to **Required**.
+
10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
- 
+ > [!div class="mx-imgBorder"]
+ > 
## Verify client device state
@@ -365,7 +260,8 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
3. You should also see the Microsoft Defender icon in the top-right corner:
- 
+ > [!div class="mx-imgBorder"]
+ > 
## Troubleshooting
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
index 39ec2b13b7..1f4d373697 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
@@ -48,7 +48,7 @@ Most modern MDM solutions include these features, however, they may call them di
You can deploy Defender without the last requirement from the preceding list, however:
- You will not be able to collect status in a centralized way
-- If you decide to uninstall Defender, you will need to logon to the client device locally as an administrator
+- If you decide to uninstall Defender, you will need to log on to the client device locally as an administrator
## Deployment
@@ -70,13 +70,44 @@ Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be ext
Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
-Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
+Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
### Kernel extension policy
Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
+### System extension policy
+
+Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers:
+
+- com.microsoft.wdav.epsext
+- com.microsoft.wdav.netext
+
+### Full disk access policy
+
+Grant Full Disk Access to the following components:
+
+- Microsoft Defender ATP
+ - Identifier: `com.microsoft.wdav`
+ - Identifier Type: Bundle ID
+ - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
+
+- Microsoft Defender ATP Endpoint Security Extension
+ - Identifier: `com.microsoft.wdav.epsext`
+ - Identifier Type: Bundle ID
+ - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+### Network extension policy
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+- Filter type: Plugin
+- Plugin bundle identifier: `com.microsoft.wdav`
+- Filter data provider bundle identifier: `com.microsoft.wdav.netext`
+- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+- Filter sockets: `true`
+
## Check installation status
Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
index 19be21f34f..10411a985d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -44,9 +44,13 @@ You'll need to take the following steps:
7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
-8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp)
-9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos)
+9. [Configure Network Extension](#step-9-configure-network-extension)
+
+10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+
+11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos)
## Step 1: Get the Microsoft Defender ATP onboarding package
@@ -155,106 +159,106 @@ You'll need to take the following steps:
For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile).
-```XML
-
-
-
-
- antivirusEngine
-
- enableRealTimeProtection
-
- passiveMode
-
- exclusions
-
-
- $type
- excludedPath
- isDirectory
-
- path
- /var/log/system.log
-
-
- $type
- excludedPath
- isDirectory
-
- path
- /home
-
-
- $type
- excludedFileExtension
- extension
- pdf
-
-
- $type
- excludedFileName
- name
- cat
-
-
- exclusionsMergePolicy
- merge
- allowedThreats
-
- EICAR-Test-File (not a virus)
-
- disallowedThreatActions
-
- allow
- restore
-
- threatTypeSettings
-
-
- key
- potentially_unwanted_application
- value
- block
-
-
- key
- archive_bomb
- value
- audit
-
-
- threatTypeSettingsMergePolicy
- merge
-
- cloudService
-
- enabled
-
- diagnosticLevel
- optional
- automaticSampleSubmission
-
-
- edr
-
- tags
-
-
- key
- GROUP
- value
- ExampleTag
-
-
-
- userInterface
-
- hideStatusMenuIcon
-
-
-
-
-```
+ ```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ passiveMode
+
+ exclusions
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /var/log/system.log
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /home
+
+
+ $type
+ excludedFileExtension
+ extension
+ pdf
+
+
+ $type
+ excludedFileName
+ name
+ cat
+
+
+ exclusionsMergePolicy
+ merge
+ allowedThreats
+
+ EICAR-Test-File (not a virus)
+
+ disallowedThreatActions
+
+ allow
+ restore
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+ threatTypeSettingsMergePolicy
+ merge
+
+ cloudService
+
+ enabled
+
+ diagnosticLevel
+ optional
+ automaticSampleSubmission
+
+
+ edr
+
+ tags
+
+
+ key
+ GROUP
+ value
+ ExampleTag
+
+
+
+ userInterface
+
+ hideStatusMenuIcon
+
+
+
+
+ ```
2. Save the file as `MDATP_MDAV_configuration_settings.plist`.
@@ -266,11 +270,12 @@ You'll need to take the following steps:
4. Enter the following details:
**General**
- - Name: MDATP MDAV configuration settings
- - Description:\
- - Category: None (default)
- - Distribution Method: Install Automatically(default)
- - Level: Computer Level(default)
+
+ - Name: MDATP MDAV configuration settings
+ - Description:\
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
@@ -336,100 +341,21 @@ You'll need to take the following steps:
These steps are applicable of macOS 10.15 (Catalina) or newer.
-1. Use the following Microsoft Defender ATP notification configuration settings:
+1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig)
-```xml
-
-
-
- PayloadContent
-
-
- NotificationSettings
-
-
- AlertType
- 2
- BadgesEnabled
-
- BundleIdentifier
- com.microsoft.autoupdate2
- CriticalAlertEnabled
- GroupingType
- 0
- NotificationsEnabled
-
- ShowInLockScreen
-
- ShowInNotificationCenter
-
- SoundsEnabled
-
-
-
- AlertType
- 2BadgesEnabled
- BundleIdentifier
- com.microsoft.wdav.tray
- CriticalAlertEnabled
- GroupingType
- 0
- NotificationsEnabled
- ShowInLockScreen
- ShowInNotificationCenter
- SoundsEnabled
-
-
-
- PayloadDescription
- PayloadDisplayName
- notifications
- PayloadEnabled
- PayloadIdentifier
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadOrganization
- Microsoft
- PayloadType
- com.apple.notificationsettings
- PayloadUUID
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadVersion
- 1
-
-
- PayloadDescription
- PayloadDisplayName
- mdatp - allow notifications
- PayloadEnabled
- PayloadIdentifier
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadOrganization
- Microsoft
- PayloadRemovalDisallowed
- PayloadScope
- System
- PayloadType
- Configuration
- PayloadUUID
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadVersion
- 1
-
-
- ```
-
-2. Save it as `MDATP_MDAV_notification_settings.plist`.
+2. Save it as `MDATP_MDAV_notification_settings.plist`.
3. In the Jamf Pro dashboard, select **General**.
4. Enter the following details:
**General**
- - Name: MDATP MDAV Notification settings
- - Description: macOS 10.15 (Catalina) or newer
- - Category: None (default)
- - Distribution Method: Install Automatically(default)
- - Level: Computer Level(default)
+
+ - Name: MDATP MDAV Notification settings
+ - Description: macOS 10.15 (Catalina) or newer
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
@@ -475,11 +401,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
1. Use the following Microsoft Defender ATP configuration settings:
-```XML
-
-
-
-
+ ```XML
+
+
+
+
ChannelName
Production
HowToCheck
@@ -490,9 +416,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
SendAllTelemetryEnabled
-
-
-```
+
+
+ ```
2. Save it as `MDATP_MDAV_MAU_settings.plist`.
@@ -503,11 +429,12 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
4. Enter the following details:
**General**
- - Name: MDATP MDAV MAU settings
- - Description: Microsoft AutoUpdate settings for MDATP for macOS
- - Category: None (default)
- - Distribution Method: Install Automatically(default)
- - Level: Computer Level(default)
+
+ - Name: MDATP MDAV MAU settings
+ - Description: Microsoft AutoUpdate settings for MDATP for macOS
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
5. In **Application & Custom Settings** select **Configure**.
@@ -582,10 +509,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Identifier: `com.microsoft.wdav`
- Identifier Type: Bundle ID
- - Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and
-certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate
-leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate
-leaf[subject.OU] = UBF8T346G9
+ - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
@@ -594,32 +518,53 @@ leaf[subject.OU] = UBF8T346G9
+ - Under App or service: Set to **SystemPolicyAllFiles**
- - Under App or service: Set to **SystemPolicyAllFiles**
-
- - Under "access": Set to **Allow**
+ - Under "access": Set to **Allow**
7. Select **Save** (not the one at the bottom right).
-8. Select the **Scope** tab.
+8. Click the `+` sign next to **App Access** to add a new entry.
+
+ 
+
+9. Enter the following details:
+
+ - Identifier: `com.microsoft.wdav.epsext`
+ - Identifier Type: Bundle ID
+ - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+10. Select **+ Add**.
+
+ 
+
+ - Under App or service: Set to **SystemPolicyAllFiles**
+
+ - Under "access": Set to **Allow**
+
+11. Select **Save** (not the one at the bottom right).
+
+ 
+
+12. Select the **Scope** tab.
- 9. Select **+ Add**.
+13. Select **+ Add**.
-10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
+14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
-11. Select **Add**.
+15. Select **Add**.
-12. Select **Save**.
+16. Select **Save**.
-13. Select **Done**.
+17. Select **Done**.
@@ -635,11 +580,12 @@ leaf[subject.OU] = UBF8T346G9
2. Enter the following details:
**General**
- - Name: MDATP MDAV Kernel Extension
- - Description: MDATP kernel extension (kext)
- - Category: None
- - Distribution Method: Install Automatically
- - Level: Computer Level
+
+ - Name: MDATP MDAV Kernel Extension
+ - Description: MDATP kernel extension (kext)
+ - Category: None
+ - Distribution Method: Install Automatically
+ - Level: Computer Level
@@ -648,11 +594,10 @@ leaf[subject.OU] = UBF8T346G9
-
4. In **Approved Kernel Extensions** Enter the following details:
- - Display Name: Microsoft Corp.
- - Team ID: UBF8T346G9
+ - Display Name: Microsoft Corp.
+ - Team ID: UBF8T346G9
@@ -677,10 +622,119 @@ leaf[subject.OU] = UBF8T346G9
-## Step 8: Schedule scans with Microsoft Defender ATP for Mac
+## Step 8: Approve System extensions for Microsoft Defender ATP
+
+1. In the **Configuration Profiles**, select **+ New**.
+
+ 
+
+2. Enter the following details:
+
+ **General**
+
+ - Name: MDATP MDAV System Extensions
+ - Description: MDATP system extensions
+ - Category: None
+ - Distribution Method: Install Automatically
+ - Level: Computer Level
+
+ 
+
+3. In **System Extensions** select **Configure**.
+
+ 
+
+4. In **System Extensions** enter the following details:
+
+ - Display Name: Microsoft Corp. System Extensions
+ - System Extension Types: Allowed System Extensions
+ - Team Identifier: UBF8T346G9
+ - Allowed System Extensions:
+ - **com.microsoft.wdav.epsext**
+ - **com.microsoft.wdav.netext**
+
+ 
+
+5. Select the **Scope** tab.
+
+ 
+
+6. Select **+ Add**.
+
+7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+8. Select **+ Add**.
+
+ 
+
+9. Select **Save**.
+
+ 
+
+10. Select **Done**.
+
+ 
+
+## Step 9: Configure Network Extension
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+>[!NOTE]
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>As such, the following steps provide a workaround that involve signing the configuration profile.
+
+1. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) to your device and save it as `com.microsoft.network-extension.mobileconfig`
+
+2. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
+
+3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:
+
+ ```bash
+ $ security cms -S -N "" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
+ ```
+
+ 
+
+4. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button.
+
+ 
+
+5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
+
+ 
+
+6. Select **Upload**.
+
+ 
+
+7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
+
+ 
+
+8. Select the **Scope** tab.
+
+ 
+
+9. Select **+ Add**.
+
+10. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+11. Select **+ Add**.
+
+ 
+
+12. Select **Save**.
+
+ 
+
+13. Select **Done**.
+
+ 
+
+## Step 10: Schedule scans with Microsoft Defender ATP for Mac
Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
-## Step 9: Deploy Microsoft Defender ATP for macOS
+## Step 11: Deploy Microsoft Defender ATP for macOS
1. Navigate to where you saved `wdav.pkg`.
@@ -729,10 +783,12 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
9. Select **Save**. The package is uploaded to Jamf Pro.
- 
- It can take a few minutes for the package to be available for deployment.
- 
+ 
+
+ It can take a few minutes for the package to be available for deployment.
+
+ 
10. Navigate to the **Policies** page.
@@ -765,25 +821,31 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
17. Select **Save**.
+
-18. Select the **Scope** tab.
+18. Select the **Scope** tab.
+
19. Select the target computers.
- **Scope**
+ **Scope**
+
Select **Add**.
+
- **Self-Service**
+ **Self-Service**
+
20. Select **Done**.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 186304dde5..a85c712b92 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -31,7 +31,7 @@ ms.topic: conceptual
## Summary
-In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Users in your organization are not able to change preferences that are set through the configuration profile.
+In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions.
This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 1284f53db5..7748721340 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -41,6 +41,12 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
+## 101.09.49
+
+- User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user
+- Improved CPU utilization during on-demand scans
+- Performance improvements & bug fixes
+
## 101.07.23
- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 074b8fc31f..e2bb55c2a6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -41,6 +41,7 @@ Method|Return Type |Description
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
+[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the value of a device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md).
## Properties
@@ -63,3 +64,5 @@ exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evalu
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+deviceValue | Nullable Enum | The value of the device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). Possible values are: 'Normal', 'Low' and 'High'.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
index c82a60cb3c..ed5256954e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
@@ -32,9 +32,9 @@ ms.topic: conceptual
The public preview of Microsoft Defender ATP for iOS will offer protection
-against phishing and unsafe network connections from websites, emails and apps.
+against phishing and unsafe network connections from websites, emails, and apps.
All alerts will be available through a single pane of glass in the Microsoft
-Defender Security Center, giving security teams a centralized view of threats on
+Defender Security Center. The portal gives security teams a centralized view of threats on
iOS devices along with other platforms.
## Pre-requisites
@@ -72,4 +72,5 @@ iOS devices along with other platforms.
## Next steps
-Microsoft Defender for Endpoint capabilities for iOS will be released into public preview in the coming weeks. At that time, we will publish additional deployment and configuration information. Please check back here in a few weeks.
+- [Deploy Microsoft Defender ATP for iOS](ios-install.md)
+- [Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 546cc62c58..d934a67ccf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -107,13 +107,12 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
### Other supported operating systems
- Android
-- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
+- Linux
- macOS
> [!NOTE]
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
->
-> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux.
+
### Network and data storage and configuration requirements
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 3e747e8768..e67120d349 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -51,13 +51,12 @@ Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release:
- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md)
Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS.
+
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
- - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
+- [Web Content Filtering](web-content-filtering.md)
Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
-
- - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
+ - [Threat and vulnerability management supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
- [Device health and compliance report](machine-reports.md)
The device health and compliance report provides high-level information about the devices in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
new file mode 100644
index 0000000000..65012f7ca0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
@@ -0,0 +1,78 @@
+---
+title: Set device value API
+description: Learn how to specify the value of a device using a Microsoft Defender Advanced Threat Protection API.
+keywords: apis, graph api, supported apis, tags, machine tags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Set device value API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+## API description
+
+Set the device value of a specific [Machine](machine.md).
+See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md) for more information.
+
+## Limitations
+
+1. You can post on devices last seen according to your configured retention period.
+
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>
+>- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+
+## HTTP request
+
+```http
+POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceValue
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+
+```json
+{
+ "DeviceValue": "{device value}"
+}
+```
+
+## Response
+
+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 9e981319a8..85d599cd64 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -57,6 +57,8 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight.
+You can also use the [set device value API](set-device-value.md).
+
Device value options:
- Low
@@ -82,6 +84,7 @@ Examples of devices that should be marked as high value:
3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.
+
## Related topics
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index 21348865a8..4dd4166246 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -21,22 +21,23 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> **Web content filtering is currently in public preview**
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Microsoft Defender ATP preview features](preview.md).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs that are associated with the category. For any category that's not blocked, they are automatically audited. That means your users will be able to access the URLs without disruption, and you will continue to gather access statistics to help create a more custom policy decision. If an element on the page you’re viewing is making calls to a resource that is blocked, your users will see a block notification.
+Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.
Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section.
Summarizing the benefits:
- Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away
-- Conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- Conveniently deploy policies to groups of users using device groups defined in [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
- Access web reports in the same central location, with visibility over actual blocks and web usage
## User experience
@@ -47,17 +48,17 @@ For a more user-friendly in-browser experience, consider using Microsoft Edge.
## Prerequisites
-Before trying out this feature, make sure you have the following:
+Before trying out this feature, make sure you have the following requirements:
- Windows 10 Enterprise E5 license OR Microsoft 365 E3 + Microsoft 365 E5 Security add-on.
- Access to Microsoft Defender Security Center portal
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
-If Windows Defender SmartScreen is not turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
+If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
## Data handling
-For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
+We will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
## Turn on web content filtering
@@ -84,33 +85,30 @@ Tip: You can deploy a policy without selecting any category on a device group. T
>[!NOTE]
>If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
+>[!IMPORTANT]
+>Blocking the "Uncategorized" category may lead to unexpected and undesired results.
+
### Allow specific websites
-It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question.
+It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question.
1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
2. Enter the domain of the site
3. Set the policy action to **Allow**.
-## Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- cards and details
+## Web content filtering cards and details
Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
### Web activity by category
-This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information about that particular category.
+This card lists the parent web content categories with the largest increase or decrease in the number of access attempts. Understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information.
-In the first 30 days of using this feature, your organization might not have sufficient data to display in this card.
+In the first 30 days of using this feature, your organization might not have enough data to display this information.
-### Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- summary card
+### Web content filtering summary card
This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
@@ -140,9 +138,9 @@ Use the time range filter at the top left of the page to select a time period. Y
### Limitations and known issues in this preview
-- Only Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). This is because Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
+- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
-- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices in the interim before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
+- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 3956891c0c..263e076dda 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
author: dansimp
ms.localizationpriority: medium
-ms.date: 1/26/2018
+ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -78,7 +78,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
## MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
-For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
+For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
| Setting |
@@ -220,5 +220,3 @@ To better help you protect your organization, we recommend turning on and using
- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index da3aea58e5..58051a41aa 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -24,8 +24,7 @@ Learn about an approach to collect events from devices in your organization. Thi
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
-To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The
-Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
+To accomplish this, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis.
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index a7254e397b..7ec755da77 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -25,7 +25,7 @@ ms.date: 10/30/2019
Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices.
-With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”.
+With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
Refer to the below video for an overview and brief demo.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
@@ -57,7 +57,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
```powershell
Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete
```
- This deletes the ‘audit mode’ qualifier.
+ This deletes the 'audit mode' qualifier.
- Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy:
```powershell
@@ -88,9 +88,9 @@ Refer to [Intune Standalone - Win32 app management](https://docs.microsoft.com/i
## Optional: Process for Deploying Apps using Catalogs
-Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don’t want to allow as well.
+Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
-Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don’t want to trust all apps that may share the same signing certificate.
+Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs.
@@ -184,8 +184,6 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group which received the policy, which will trigger a removal of both the policy and the authorization token from the device.
IT Pros also have the choice of deleting a supplemental policy through Intune.
-> [!Note]
-> This feature currently has a known bug which occurs when an S mode supplemental policy is deleted through Intune, in which the policy is not immediately removed from the devices to which it was deployed. A fix is expected in the 2D update in late February 2020. In the meantime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
```xml
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 7fac37b115..f076b612e7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -1,7 +1,7 @@
---
title: WDAC and AppLocker Overview
description: Compare Windows application control technologies.
-keywords: security, malware
+keywords: security, malware, allow-list, block-list
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
-ms.date: 04/15/2020
+ms.date: 09/30/2020
ms.custom: asr
---
@@ -29,58 +29,48 @@ Windows 10 includes two technologies that can be used for application control de
## Windows Defender Application Control
-WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
-
-> [!NOTE]
-> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
+WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
-- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
-- The reputation of the app as determined by Microsoft's Intelligent Security Graph;
-- The identity of the process that initiated the installation of the app and its binaries (managed installer);
-- The path from which the app or file is launched (beginning with Windows 10 version 1903);
-- The process that launched the app or binary.
+- Attributes of the codesigning certificate(s) used to sign an app and its binaries
+- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
+- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md)
+- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md))
+- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
+- The process that launched the app or binary
+
+Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'.
### WDAC System Requirements
-WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
-WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
+WDAC policies can only be created on devices running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
+
+WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
## AppLocker
-AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
+AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature.
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
-- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
-- The path from which the app or file is launched (beginning with Windows 10 version 1903).
+- Attributes of the codesigning certificate(s) used to sign an app and its binaries
+- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
+- The path from which the app or file is launched
### AppLocker System Requirements
-AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
+AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use WDAC or AppLocker
-Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies.
+Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. AppLocker is a legacy technology which will continue to receive security fixes but will not undergo new feature improvements.
-### WDAC is best when:
-
-- You are adopting application control primarily for security reasons.
-- Your application control policy can be applied to all users on the managed computers.
-- All of the devices you wish to manage are running Windows 10.
-
-### AppLocker is best when:
+In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
-- You need to apply different policies for different users or groups on a shared computer.
-- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
-- You do not wish to enforce application control on application files such as DLLs or drivers.
+- You need to apply different policies for different users or groups on shared computers.
-## When to use both WDAC and AppLocker together
-
-AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
-As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps.
+As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
diff --git a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
deleted file mode 100644
index b2b028118b..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-ms.author: dansimp
-author: dansimp
-ms.prod: w10
-title: The Microsoft Defender Security Center app
----
-
-# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
-
-## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md)
-## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md)
-## [Manage Microsoft Defender Security Center in Windows 10 in S mode](wdsc-windows-10-in-s-mode.md)
-## [Virus and threat protection](wdsc-virus-threat-protection.md)
-## [Account protection](wdsc-account-protection.md)
-## [Firewall and network protection](wdsc-firewall-network-protection.md)
-## [App and browser control](wdsc-app-browser-control.md)
-## [Device security](wdsc-device-security.md)
-## [Device performance and health](wdsc-device-performance-health.md)
-## [Family options](wdsc-family-options.md)
-
-
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index d6b2ed3cde..98fe19379f 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -86,7 +86,7 @@ The following table identifies and defines terms used throughout this guide.
| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.|
| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
-| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 27fc2277eb..314e4d3826 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -130,7 +130,6 @@ General battery life and power efficiency improvements for PCs with certain proc
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
-[What's new in Windows 10, version 1909 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-1909): This list also includes consumer focused new features.
[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
- 
- 
- 
- 
- 
- 
