diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index aaf6321d69..11bad4b893 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -857,12 +857,12 @@
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection",
"redirect_document_id": true
},
{
@@ -1210,11 +1210,6 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction",
"redirect_document_id": true
},
- {
- "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
- "redirect_document_id": false
- },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access",
@@ -1435,16 +1430,6 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
"redirect_document_id": false
},
- {
- "source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection",
- "redirect_document_id": true
- },
- {
- "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices",
- "redirect_document_id": true
- },
{
"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection",
@@ -1795,6 +1780,21 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection",
+ "redirect_document_id": true
+ },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score",
@@ -1805,11 +1805,26 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/configuration-score.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices",
+ "redirect_document_id": true
+ },
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/partner-applications",
@@ -1834,6 +1849,11 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports",
"redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi",
+ "redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md",
@@ -1980,16 +2000,6 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test",
"redirect_document_id": true
},
- {
- "source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection",
- "redirect_document_id": true
- },
- {
- "source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard",
- "redirect_document_id": true
- },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection",
diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml
index f55040beb3..8fb16843d8 100644
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@@ -1,229 +1,80 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
-documentType: LandingData
-
-title: Microsoft Edge Legacy group policies
+title: Microsoft Edge Legacy group policies # < 60 chars
+summary: Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. # < 160 chars
metadata:
-
- title: Microsoft Edge Legacy group policies
-
- description: Learn how to configure group policies in Microsoft Edge Legacy on Windows 10.
-
- text: Some of the features in Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. (To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).)
-
+ title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile
-
ms.localizationpriority: medium
-
+ ms.prod: edge
author: shortpatti
-
ms.author: pashort
-
- ms.date: 10/02/2018
-
- ms.topic: article
-
+ ms.topic: landing-page
ms.devlang: na
-
-sections:
-
-- title:
-
-- items:
-
- - type: markdown
-
- text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
-
-- items:
-
- - type: list
-
- style: cards
-
- className: cardsE
-
- columns: 3
-
- items:
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/address-bar-settings-gp
-
- html: Learn how you can configure Microsoft Edge to show search suggestions in the address bar.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_http.svg
-
- title: Address bar
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/adobe-settings-gp
-
- html: Learn how you can configure Microsoft Edge to load Adobe Flash content automatically.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_setup.svg
-
- title: Adobe Flash
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/books-library-management-gp
-
- html: Learn how you can set up and use the books library, such as using a shared books folder for students and teachers.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_library.svg
-
- title: Books Library
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/browser-settings-management-gp
-
- html: Learn how you can customize the browser settings, such as printing and saving browsing history, plus more.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_management.svg
-
- title: Browser experience
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/developer-settings-gp
-
- html: Learn how to configure Microsoft Edge for development and testing.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_config-tools.svg
-
- title: Developer tools
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/extensions-management-gp
-
- html: Learn how you can configure Microsoft Edge to either prevent or allow users to install and run unverified extensions.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_extensions.svg
-
- title: Extensions
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/favorites-management-gp
-
- html: Learn how you can provision a standard favorites list as well as keep the favorites lists in sync between IE11 and Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_link.svg
-
- title: Favorites
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/home-button-gp
-
- html: Learn how you can customize the home button or hide it.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_setup.svg
-
- title: Home button
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp
-
- html: Learn how you use Microsoft Edge and Internet Explorer together for a full browsing experience.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_management.svg
-
- title: Interoperability and enterprise guidance
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy
-
- html: Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_categorize.svg
-
- title: Kiosk mode deployment in Microsoft Edge
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/new-tab-page-settings-gp
-
- html: Learn how to configure the New Tab page in Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_setup.svg
-
- title: New Tab page
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/prelaunch-preload-gp
-
- html: Learn how pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_setup.svg
-
- title: Prelaunch Microsoft Edge and preload tabs
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/search-engine-customization-gp
-
- html: Learn how you can set the default search engine and configure additional ones.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_search.svg
-
- title: Search engine customization
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp
-
- html: Learn how you can keep your environment and users safe from attacks.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_security-management.svg
-
- title: Security and privacy
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/start-pages-gp
-
- html: Learn how to configure the Start pages in Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_setup.svg
-
- title: Start page
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/sync-browser-settings-gp
-
- html: Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_sync.svg
-
- title: Sync browser
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/telemetry-management-gp
-
- html: Learn how you can configure Microsoft Edge to collect certain data.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_data-collection.svg
-
- title: Telemetry and data collection
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/available-policies
-
- html: View all available group policies for Microsoft Edge on Windows 10.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_policy.svg
-
- title: All group policies
+ ms.date: 08/28/2020 #Required; mm/dd/yyyy format.
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: Documentation for Microsoft Edge version 77 or later
+ url: https://docs.microsoft.com/DeployEdge/
+ - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021
+ url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
+
+ # Card (optional)
+ - title: Group policies configure guidance part 1
+ linkLists:
+ - linkListType: reference
+ links:
+ - text: All group policies
+ url: /microsoft-edge/deploy/available-policies
+ - text: Address bar
+ url: /microsoft-edge/deploy/group-policies/address-bar-settings-gp
+ - text: Adobe Flash
+ url: /microsoft-edge/deploy/group-policies/adobe-settings-gp
+ - text: Books Library
+ url: /microsoft-edge/deploy/group-policies/books-library-management-gp
+ - text: Browser experience
+ url: /microsoft-edge/deploy/group-policies/browser-settings-management-gp
+ - text: Developer tools
+ url: /microsoft-edge/deploy/group-policies/developer-settings-gp
+ - text: Extensions
+ url: /microsoft-edge/deploy/group-policies/extensions-management-gp
+ - text: Favorites
+ url: /microsoft-edge/deploy/group-policies/favorites-management-gp
+ - text: Home button
+ url: /microsoft-edge/deploy/group-policies/home-button-gp
+
+ # Card (optional)
+ - title: Group policies configure guidance part 2
+ linkLists:
+ - linkListType: reference
+ links:
+ - text: Interoperability and enterprise mode
+ url: /microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp
+ - text: New Tab page
+ url: /microsoft-edge/deploy/group-policies/new-tab-page-settings-gp
+ - text: Kiosk mode deployment in Microsoft Edge
+ url: /microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy
+ - text: Prelaunch Microsoft Edge and preload tabs
+ url: /microsoft-edge/deploy/group-policies/prelaunch-preload-gp
+ - text: Search engine customization
+ url: /microsoft-edge/deploy/group-policies/search-engine-customization-gp
+ - text: Security and privacy
+ url: /microsoft-edge/deploy/group-policies/security-privacy-management-gp
+ - text: Start page
+ url: /microsoft-edge/deploy/group-policies/start-pages-gp
+ - text: Sync browser
+ url: /microsoft-edge/deploy/group-policies/sync-browser-settings-gp
+ - text: Telemetry and data collection
+ url: /microsoft-edge/deploy/group-policies/telemetry-management-gp
+
diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml
index 2b47ccaaf7..797d881911 100644
--- a/browsers/edge/microsoft-edge.yml
+++ b/browsers/edge/microsoft-edge.yml
@@ -1,60 +1,144 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
+
+title: Microsoft Edge Legacy # < 60 chars
+summary: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # < 160 chars
-documentType: LandingData
-title: Microsoft Edge
metadata:
- title: Microsoft Edge
- description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization.
+ title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories
+ ms.prod: edge
ms.localizationpriority: medium
author: lizap
ms.author: elizapo
manager: dougkim
- ms.topic: article
+ ms.topic: landing-page
ms.devlang: na
+ ms.date: 08/19/2020 #Required; mm/dd/yyyy format.
-sections:
-- items:
- - type: markdown
- text: "
- Find the tools and resources you need to help deploy and use Microsoft Edge in your organization.
- "
-- title: What's new
-- items:
- - type: markdown
- text: "
- Find out the latest and greatest news on Microsoft Edge.
- 
**The latest in Microsoft Edge**
See what's new for users and developers in the next update to Microsoft Edge - now available with the Windows 10 April 2018 update!
Find out more | 
**Evaluate the impact**
Review the latest Forrester Total Economic Impact (TEI) report to learn about the impact Microsoft Edge can have in your organization.
Download the reports |
**Microsoft Edge for iOS and Android**
Microsoft Edge brings familiar features across your PC and phone, which allows browsing to go with you, no matter what device you use.
Learn more | 
**Application Guard**
Microsoft Edge with Windows Defender Application Guard is the most secure browser on Windows 10 Enterprise.
Learn more |
-
- "
-- title: Compatibility
-- items:
- - type: markdown
- text: "
- Even if you still have legacy apps in your organization, you can default to the secure, modern experience of Microsoft Edge and provide a consistent level of compatibility with existing legacy applications.
-
- "
-- title: Security
-- items:
- - type: markdown
- text: "
- Microsoft Edge uses Windows Hello and Windows Defender SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.
- 
**NSS Labs web browser security reports**
See the results of two global tests measuring how effective browsers are at protecting against socially engineered malware and phishing attacks.
Download the reports | 
**Microsoft Edge sandbox**
See how Microsoft Edge has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.
Find out more | 
**Windows Defender SmartScreen**
Manage your organization's computer settings with Group Policy and MDM settings to display a warning page to employees or block a site entirely.
Read the docs |
-
- "
-- title: Deployment and end user readiness
-- items:
- - type: markdown
- text: "
- Find resources and learn about features to help you deploy Microsoft Edge in your organization to get your users up and running quickly.
-
- "
-- title: Stay informed
-- items:
- - type: markdown
- text: "
- 
**Sign up for the Windows IT Pro Insider**
Get the latest tools, tips, and expert guidance on deployment, management, security, and more.
Learn more | 
**Microsoft Edge Dev blog**
Keep up with the latest browser trends, security tips, and news for IT professionals.
Read the blog | 
**Microsoft Edge Dev on Twitter**
Get the latest news and updates from the Microsoft Web Platform team.
Visit Twitter |
-
- "
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: Documentation for Microsoft Edge version 77 or later
+ url: https://docs.microsoft.com/DeployEdge/
+ - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021
+ url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
+ - text: The latest in Microsoft Edge
+ url: https://blogs.windows.com/msedgedev/2018/04/30/edgehtml-17-april-2018-update/#C7jCBdbPSG6bCXHr.97
+ - text: Microsoft Edge for iOS and Android
+ url: https://blogs.windows.com/windowsexperience/2017/11/30/microsoft-edge-now-available-for-ios-and-android
+ - text: Application Guard
+ url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
+ - linkListType: download
+ links:
+ - text: Evaluate the impact
+ url: /microsoft-edge/deploy/microsoft-edge-forrester
+
+ # Card (optional)
+ - title: Test your site on Microsoft Edge
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Test your site on Microsoft Edge for free on BrowserStack
+ url: https://developer.microsoft.com/microsoft-edge/tools/remote/
+ - text: Use sonarwhal to improve your website
+ url: https://sonarwhal.com/
+
+ # Card (optional)
+ - title: Improve compatibility with Enterprise Mode
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Use Enterprise mode to improve compatibility
+ url: /microsoft-edge/deploy/emie-to-improve-compatibility
+ - text: Turn on Enterprise Mode and use a site list
+ url: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list
+ - text: Enterprise Site List Portal
+ url: https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal
+
+ # Card (optional)
+ - title: Web Application Compatibility Lab Kit
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: /microsoft-edge/deploy/emie-to-improve-compatibility
+
+ # Card (optional)
+ - title: Security
+ linkLists:
+ - linkListType: download
+ links:
+ - text: NSS Labs web browser security reports
+ url: https://www.microsoft.com/download/details.aspx?id=54773
+ - linkListType: overview
+ links:
+ - text: Microsoft Edge sandbox
+ url: https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
+ - text: Windows Defender SmartScreen
+ url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
+
+ # Card (optional)
+ - title: Deployment
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Microsoft Edge deployment guide
+ url: /microsoft-edge/deploy/
+ - text: Microsoft Edge FAQ
+ url: /microsoft-edge/deploy/microsoft-edge-faq
+ - text: System requirements and language support
+ url: /microsoft-edge/deploy/hardware-and-software-requirements
+ - text: Group Policy and MDM settings in Microsoft Edge
+ url: /microsoft-edge/deploy/available-policies
+ - text: Microsoft Edge training and demonstrations
+ url: /microsoft-edge/deploy/edge-technical-demos
+ - linkListType: download
+ links:
+ - text: Web Application Compatibility Lab Kit
+ url: https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-toolkit
+
+ # Card (optional)
+ - title: End user readiness
+ linkLists:
+ - linkListType: video
+ links:
+ - text: Microsoft Edge tips and tricks (video, 20:26)
+ url: https://myignite.microsoft.com/sessions/56630?source=sessions
+ - linkListType: download
+ links:
+ - text: Quick Start - Microsoft Edge (PDF, .98 MB)
+ url: https://go.microsoft.com/fwlink/?linkid=825648
+ - text: Find it faster with Microsoft Edge (PDF, 605 KB)
+ url: https://go.microsoft.com/fwlink/?linkid=825661
+ - text: Use Microsoft Edge to collaborate (PDF, 468 KB)
+ url: https://go.microsoft.com/fwlink/?linkid=825653
+ - text: Group Policy and MDM settings in Microsoft Edge
+ url: /microsoft-edge/deploy/available-policies
+ - text: Microsoft Edge training and demonstrations
+ url: /microsoft-edge/deploy/edge-technical-demos
+ - linkListType: how-to-guide
+ links:
+ - text: Import bookmarks
+ url: https://microsoftedgetips.microsoft.com/2/39
+ - text: Password management
+ url: https://microsoftedgetips.microsoft.com/2/18
+
+ # Card (optional)
+ - title: Stay informed
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Sign up for the Windows IT Pro Insider
+ url: https://aka.ms/windows-it-pro-insider
+ - text: Microsoft Edge Dev blog
+ url: https://blogs.windows.com/msedgedev
+ - text: Microsoft Edge Dev on Twitter
+ url: https://twitter.com/MSEdgeDev
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
index fe8d0d640e..72bea22625 100644
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 09/25/2019
+ms.date: 08/31/2020
ms.reviewer:
manager: dansimp
---
@@ -18,6 +18,11 @@ manager: dansimp
Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases.
+## Week of August 24, 2020
+
+### Longer device names supported in app
+You can now give devices running Windows 10, version 2004 and later a name that's up to 53 characters long.
+
## Week of September 23, 2019
### Easier way to deploy Office 365 to your classroom devices
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 69d4efc9c1..1bfa750d6f 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -145,8 +145,8 @@ To set up a test account through Windows Configuration Designer, follow these st
- username@tenant.com
4. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
- 1. In **LaunchURI**, enter the assessment URL.
- 2. In **TesterAccount**, enter the test account you entered in step 3.
+ - In **LaunchURI**, enter the assessment URL.
+ - In **TesterAccount**, enter the test account you entered in step 3.
3. Follow the steps to [build a package](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package#build-package).
@@ -166,9 +166,9 @@ This sample PowerShell script configures the tester account and the assessment U
- Use your tester account for **-UserName**
>[!NOTE]
->The account that you specify for the tester account must already exist on the device.
+>The account that you specify for the tester account must already exist on the device. For steps to create the tester account, see [Set up a dedicated test account](https://docs.microsoft.com/education/windows/take-a-test-single-pc#set-up-a-dedicated-test-account).
-```
+```powershell
$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
$obj.LaunchURI='https://www.foo.com';
$obj.TesterAccount='TestAccount';
@@ -232,7 +232,7 @@ One of the ways you can present content in a locked down manner is by embedding
1. Embed a link or create a desktop shortcut with:
- ```
+ ```http
ms-edu-secureassessment:#enforceLockdown
```
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index b343954c9a..24ec842c6c 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -17,6 +17,23 @@ ms.date: 10/17/2017
# Add unsigned app to code integrity policy
+> [!IMPORTANT]
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+>
+> Following are the major changes we are making to the service:
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+>
+> The following functionality will be available via these PowerShell cmdlets:
+> - Get a CI policy
+> - Sign a CI policy
+> - Sign a catalog
+> - Download root cert
+> - Download history of your signing operations
+>
+> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+
**Applies to**
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 6a2720e035..a3e5be63f9 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -17,6 +17,23 @@ ms.date: 10/17/2017
# Device Guard signing
+> [!IMPORTANT]
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+>
+> Following are the major changes we are making to the service:
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+>
+> The following functionality will be available via these PowerShell cmdlets:
+> - Get a CI policy
+> - Sign a CI policy
+> - Sign a catalog
+> - Download root cert
+> - Download history of your signing operations
+>
+> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+
**Applies to**
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index c540dd2199..9d5a58c992 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -64,7 +64,7 @@ If your organization restricts computers on your network from connecting to the
starting with Windows 10, version 1607)
Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.
-For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/en-us/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients).
+For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients).
diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
index e0db1ee7c7..e0acead8f1 100644
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@@ -17,6 +17,24 @@ ms.date: 10/17/2017
# Sign code integrity policy with Device Guard signing
+> [!IMPORTANT]
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+>
+> Following are the major changes we are making to the service:
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+>
+> The following functionality will be available via these PowerShell cmdlets:
+> - Get a CI policy
+> - Sign a CI policy
+> - Sign a catalog
+> - Download root cert
+> - Download history of your signing operations
+>
+> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+
+
**Applies to**
- Windows 10
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 5a0366f643..4414bb6e96 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -38,11 +38,10 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
> [!NOTE]
> You must download the FOD .cab file that matches your operating system version.
- 1. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
+ 1. Use `Dism` to add Windows Mixed Reality FOD to the image.
```powershell
- Add-Package
- Dism /Online /add-package /packagepath:(path)
+ Dism /Online /Add-Package /PackagePath:(path)
```
> [!NOTE]
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index d236ee54f8..29e2d01d30 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -220,6 +220,9 @@ If Windows cannot load the system registry hive into memory, you must restore th
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
+> [!NOTE]
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
+
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
@@ -392,3 +395,6 @@ If the dump file shows an error that is related to a driver (for example, window
3. Navigate to C:\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
+
+> [!NOTE]
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 9469f12408..6ed30e55f1 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -21,11 +21,15 @@ The following diagram shows the DMClient CSP in tree format.
+
+**./Vendor/MSFT**
+All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
+
**DMClient**
Root node for the CSP.
**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@@ -221,7 +225,7 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization..
+Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
@@ -265,7 +269,7 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
-Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
+Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 349687ed6c..7a91385e10 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -170,11 +170,16 @@ Requirements:
1. Download:
- - 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
+ - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
- - 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
+ - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
- - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
+ - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
+
+ - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](
+https://www.microsoft.com/download/confirmation.aspx?id=1005915)
+
+ - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
2. Install the package on the Domain Controller.
@@ -185,6 +190,10 @@ Requirements:
- 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
- 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
+
+ - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)**
+
+ - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)**
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index 37cf49d46f..36128621e3 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -72,23 +72,23 @@ manager: dansimp
| Home |
-  |
+ |
| Pro |
-  |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -155,23 +155,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -236,23 +236,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -317,23 +317,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -399,23 +399,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -477,23 +477,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -555,23 +555,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -634,23 +634,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -712,23 +712,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -793,23 +793,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -874,23 +874,23 @@ ADMX Info:
| Home |
- |
+ |
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index 527d07b981..ef0f985661 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -79,19 +79,19 @@ manager: dansimp
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -156,19 +156,19 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -227,19 +227,19 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -302,19 +302,19 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -378,19 +378,19 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -456,19 +456,19 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -523,19 +523,19 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -597,19 +597,19 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
@@ -670,19 +670,19 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
- |
+ |
| Education |
- |
+ |
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
index 2f91449316..9a7fa24739 100644
--- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -45,11 +45,11 @@ manager: dansimp
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -57,7 +57,7 @@ manager: dansimp
| Education |
- |
+ |
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index e3fef30269..79b48babf1 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -108,11 +108,11 @@ manager: dansimp
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -120,7 +120,7 @@ manager: dansimp
| Education |
- |
+ |
@@ -176,11 +176,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -188,7 +188,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -253,11 +253,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -265,7 +265,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -322,11 +322,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -334,7 +334,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -409,11 +409,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -421,7 +421,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -478,11 +478,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -490,7 +490,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -547,11 +547,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -559,7 +559,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -618,11 +618,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -630,7 +630,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -691,11 +691,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -703,7 +703,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -766,11 +766,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -778,7 +778,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -840,11 +840,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -852,7 +852,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -916,11 +916,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -928,7 +928,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -985,11 +985,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -997,7 +997,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1058,11 +1058,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1070,7 +1070,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1134,11 +1134,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1146,7 +1146,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1205,11 +1205,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1217,7 +1217,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1281,11 +1281,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1293,7 +1293,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1350,11 +1350,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1362,7 +1362,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1422,11 +1422,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1434,7 +1434,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1497,11 +1497,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1509,7 +1509,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1568,11 +1568,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1580,7 +1580,7 @@ ADMX Info:
| Education |
- |
+ |
@@ -1655,11 +1655,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -1667,7 +1667,7 @@ ADMX Info:
| Education |
- |
+ |
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
index b964fbde10..ba0dcbb61d 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -49,11 +49,11 @@ manager: dansimp
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -61,7 +61,7 @@ manager: dansimp
| Education |
- |
+ |
@@ -122,11 +122,11 @@ ADMX Info:
| Pro |
- |
+ |
| Business |
- |
+ |
| Enterprise |
@@ -134,7 +134,7 @@ ADMX Info:
| Education |
- |
+ |
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 79fe896cdf..dcea40a888 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -2313,6 +2313,9 @@ ADMX Info:
Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+> [!NOTE]
+> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+
The following list shows the supported values:
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index 671e14612b..9274477150 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -131,4 +131,4 @@ This section contains advanced troubleshooting topics and links to help you reso
## Other Resources
-### [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-support-solutions)
+- [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting)
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index 65c52cf2dd..7085ba9fb5 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -27,7 +27,7 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
-| Connect app | The [Connect app](https://docs.microsoft.com/windows-hardware/design/device-experiences/wireless-projection-understanding) for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
+| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 |
diff --git a/windows/deployment/update/images/UC_workspace_safeguard_queries.png b/windows/deployment/update/images/UC_workspace_safeguard_queries.png
new file mode 100644
index 0000000000..36bb54260b
Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_safeguard_queries.png differ
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index de0fe72583..8aaf66d309 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -17,13 +17,14 @@ ms.topic: article
# Manually Configuring Devices for Update Compliance
-There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
The requirements are separated into different categories:
1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations.
3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
+4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected.
## Required policies
@@ -75,3 +76,14 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic
## Required services
Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
+
+
+## Run a full Census sync
+
+Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this.
+
+A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps:
+
+1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**.
+2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required.
+3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 6be6180063..b58012dcad 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -35,13 +35,21 @@ Refer to the following list for what each state means:
* Devices that have failed the given feature update installation are counted as **Update failed**.
* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
-## Compatibility holds
+## Safeguard holds
-Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device's upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows 10 release information page for any given release.
-### Opting out of compatibility hold
+## Queries for safeguard holds
-Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired.
+Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
+
+
+
+Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
+
+### Opting out of safeguard hold
+
+Microsoft will release a device from a safeguard hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired.
To opt out, set the registry key as follows:
- Registry Key Path :: **Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion**
@@ -50,6 +58,5 @@ To opt out, set the registry key as follows:
- Type :: **REG_DWORD**
- Value :: **0**
-
-Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device.
+Setting this registry key to **0** will force the device to opt out from *all* safeguard holds. Any other value, or deleting the key, will resume compatibility protection on the device.
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 92d589105d..58bd854855 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -17,11 +17,6 @@ ms.topic: article
# Monitor Windows Updates with Update Compliance
-> [!IMPORTANT]
-> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Microsoft Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020.
-> * The retirement of Microsoft Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to for threats with [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) and [Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
-> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
-
## Introduction
Update Compliance enables organizations to:
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index 3cbcbbeb28..b5fe054a3e 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -26,7 +26,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**DeploymentError** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
|**DeploymentErrorCode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
|**DeploymentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Failed` |The high level status of installing this update on this device. Possible values are:
**Update completed**: Device has completed the update installation. **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`. **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update. **Cancelled**: The update was cancelled. **Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`. **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update. **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
-|**DetailedStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred. **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered. **Update offered**: The device has been offered the update, but has not begun downloading it. **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update. **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds). **Download started**: The update has begun downloading on the device. **Download Succeeded**: The update has successfully completed downloading. **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed. **Install Started**: Installation of the update has begun. **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed. **Reboot Pending**: The device has a scheduled reboot to apply the update. **Reboot Initiated**: The scheduled reboot has been initiated. **Commit**: Changes are being committed post-reboot. This is another step of the installation process. **Update Completed**: The update has successfully installed.|
+|**DetailedStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred. **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered. **Update offered**: The device has been offered the update, but has not begun downloading it. **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update. **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds). **Download started**: The update has begun downloading on the device. **Download Succeeded**: The update has successfully completed downloading. **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed. **Install Started**: Installation of the update has begun. **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed. **Reboot Pending**: The device has a scheduled reboot to apply the update. **Reboot Initiated**: The scheduled reboot has been initiated. **Commit**: Changes are being committed post-reboot. This is another step of the installation process. **Update Completed**: The update has successfully installed.|
|**ExpectedInstallDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
|**OriginBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. |
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index e0d6464259..95321b1013 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -119,8 +119,13 @@ A compliance deadline policy (released in June 2019) enables you to set separate
This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
+#### Update Baseline
+The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
+The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056).
+>[!NOTE]
+>The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when.
+
+Error message | Cause | Actions
+-|-|-
+Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
+Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
+Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
+Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
+Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Edge is working 3. Retry the operation
+
+## Related articles
+
+- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
+- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 9a278e3b9b..67723aa1a3 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -18,7 +18,7 @@ ms.custom: asr
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
+Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
@@ -42,10 +42,11 @@ Application Guard has been created to target several types of systems:
## Related articles
-|Article |Description |
-|------|------------|
+|Article | Description |
+|--------|-------------|
|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
+| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index e2a6d3e0ec..9fb1380e27 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -15,36 +15,34 @@ ms.custom: asr
# Application Guard testing scenarios
+**Applies to:**
-**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
-
## Application Guard in standalone mode
You can see how an employee would use standalone mode with Application Guard.
### To test Application Guard in Standalone mode
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
-
+
3. Wait for Application Guard to set up the isolated environment.
>[!NOTE]
- >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
-
+ >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
+
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
-## Application Guard in Enterprise-managed mode
+## Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
@@ -59,7 +57,7 @@ Before you can use Application Guard in enterprise mode, you must install Window
3. Set up the Network Isolation settings in Group Policy:
a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
-
+
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box.
@@ -81,14 +79,14 @@ Before you can use Application Guard in enterprise mode, you must install Window
>[!NOTE]
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
-6. Start Microsoft Edge and type www.microsoft.com.
-
+6. Start Microsoft Edge and type *https://www.microsoft.com*.
+
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
-
+
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
@@ -108,6 +106,7 @@ Application Guard provides the following default behavior for your employees:
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
+
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
@@ -116,24 +115,24 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
2. Click **Enabled** and click **OK**.
-
+
3. Choose how the clipboard works:
-
+
- Copy and paste from the isolated session to the host PC
-
+
- Copy and paste from the host PC to the isolated session
-
+
- Copy and paste both directions
4. Choose what can be copied:
-
- - **1.** Only text can be copied between the host PC and the isolated container.
- - **2.** Only images can be copied between the host PC and the isolated container.
+ - Only text can be copied between the host PC and the isolated container.
- - **3.** Both text and images can be copied between the host PC and the isolated container.
+ - Only images can be copied between the host PC and the isolated container.
+
+ - Both text and images can be copied between the host PC and the isolated container.
5. Click **OK**.
@@ -156,21 +155,26 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
+
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
- The website opens in the isolated session.
+ The website opens in the isolated session.
4. Add the site to your **Favorites** list and then close the isolated session.
-5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
- >[!NOTE]
- >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
-
+ > [!NOTE]
+ > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
+ >
+ > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
+ >
+ > **To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
+
**Applies to:**
+
- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
@@ -181,10 +185,10 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Download a file from Microsoft Defender Application Guard.
+4. Download a file from Microsoft Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
@@ -195,12 +199,13 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
-3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
-4. Assess the visual experience and battery performance.
+3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
+
+4. Assess the visual experience and battery performance.
**Applies to:**
+
- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
@@ -210,11 +215,11 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled**, set **Options** to 2, and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Open a file in Edge, such an Office 365 file.
+4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
@@ -224,11 +229,11 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Open an application with video or audio capability in Edge.
+4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
@@ -238,7 +243,20 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+## Application Guard Extension for third-party web browsers
+
+The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.
+
+Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
+
+1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
+1. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
+ 
+1. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
+ 
+1. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index d5802d8faf..96506eaa8d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -198,4 +198,4 @@ After configuring the [Security policy violation indicators](https://docs.micros
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
index d2f56eeeb1..f6b75a00f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
@@ -30,70 +30,49 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
> [!NOTE]
-> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
-> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
+> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.**
+> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
+ Updates to the app are automatic via Google Play.
## Deploy on Device Administrator enrolled devices
**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device
Administrator enrolled devices**
-This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported.
+This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices.
-### Download the onboarding package
-
-Download the onboarding package from Microsoft Defender Security Center.
-
-1. In [Microsoft Defender Security
-Center](https://securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
-
-2. In the first drop-down, select **Android** as the Operating system.
-
-3. Select **Download Onboarding package** and save the downloaded .APK file.
-
- 
-
-### Add as Line of Business (LOB) App
-
-The downloaded Microsoft Defender ATP for Android onboarding package. It is a
-.APK file can be deployed to user groups as a Line of Business app during the
-preview from Microsoft Endpoint Manager Admin Center.
+### Add as Android store app
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add \> Line-of-business app** and click **Select**.
+**Android Apps** \> **Add \> Android store app** and click **Select**.
- 
+ 
-2. On the **Add app** page and in the *App Information* section, click **Select
-add package file** and then click the  icon and select the MDATP Universal APK file that was downloaded from the *Download Onboarding package* step.
+2. On the **Add app** page and in the *App Information* section enter:
- 
+ - **Name**
+ - **Description**
+ - **Publisher** as Microsoft.
+ - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP Preview app Google Play Store URL)
+ Other fields are optional. Select **Next**.
-3. Select **OK**.
+ 
-4. In the *App Information* section that comes up, enter the **Publisher** as
-Microsoft. Other fields are optional and then select **Next**.
-
- 
-
-5. In the *Assignments* section, go to the **Required** section and select **Add
-group.** You can then choose the user group(s) that you would like to target
-Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
+3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
>[!NOTE]
>The selected user group should consist of Intune enrolled users.
- 
+ > [!div class="mx-imgBorder"]
+ > 
-6. In the **Review+Create** section, verify that all the information entered is
-correct and then select **Create**.
+6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
- In a few moments, the Microsoft Defender ATP app would be created successfully,
-and a notification would show up at the top-right corner of the page.
+ In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.
@@ -102,15 +81,10 @@ and a notification would show up at the top-right corner of the page.
select **Device install status** to verify that the device installation has
completed successfully.
- 
+ > [!div class="mx-imgBorder"]
+ > 
-During Public Preview, to **update** Microsoft Defender ATP for Android deployed
-as a Line of Business app, download the latest APK. Following the steps in
-*Download the onboarding package* section and follow instructions on how to [update
-a Line of Business
-App](https://docs.microsoft.com/mem/intune/apps/lob-apps-android#step-5-update-a-line-of-business-app).
-
### Complete onboarding and check status
1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon.
@@ -133,27 +107,21 @@ For more information on the enrollment options supported by Intune, see
[Enrollment
Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
-As Microsoft Defender ATP for Android is deployed via managed Google Play,
-updates to the app are automatic via Google Play.
-
Currently only Personal devices with Work Profile enrolled are supported for deployment.
->[!NOTE]
->During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact [atpm@microsoft.com](mailto:atpm@microsoft.com) with the organization ID of your managed Google Play for next steps. This can be found under the **Admin Settings** of [managed Google Play](https://play.google.com/work/).
-> At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported.
-## Add Microsoft Defender ATP for Android as a managed Google Play app
+## Add Microsoft Defender ATP for Android as a Managed Google Play app
-After receiving a confirmation e-mail from Microsoft that your managed Google
-Play organization ID has been approved, follow the steps below to add Microsoft
+Follow the steps below to add Microsoft
Defender ATP app into your managed Google Play.
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add** and select **managed Google Play app**.
+**Android Apps** \> **Add** and select **Managed Google Play app**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
2. On your managed Google Play page that loads subsequently, go to the search
@@ -167,7 +135,8 @@ ATP app from the Apps search result.
details on Microsoft Defender ATP. Review the information on the page and then
select **Approve**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
4. You should now be presented with the permissions that Microsoft Defender ATP
@@ -184,13 +153,15 @@ Android might ask. Review the choices and select your preferred option. Select
By default, managed Google Play selects *Keep approved when app requests new
permissions*
- 
+ > [!div class="mx-imgBorder"]
+ > 
6. After the permissions handling selection is made, select **Sync** to sync
Microsoft Defender ATP to your apps list.
- 
+ > [!div class="mx-imgBorder"]
+ > 
7. The sync will complete in a few minutes.
@@ -200,54 +171,61 @@ Microsoft Defender ATP to your apps list.
8. Select the **Refresh** button in the Android apps screen and Microsoft
Defender ATP should be visible in the apps list.
- 
+ > [!div class="mx-imgBorder"]
+ > 
9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
- a. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
+ 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
- 
+ 
- b. In the **Create app configuration policy** page, enter the following details:
+ 1. In the **Create app configuration policy** page, enter the following details:
+
- Name: Microsoft Defender ATP.
- Choose **Android Enterprise** as platform.
- Choose **Work Profile only** as Profile Type.
- Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
- c. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions
- - External storage (read)
- - External storage (write)
+ 1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions:
- Then select **OK**.
+ - External storage (read)
+ - External storage (write)
- 
+ Then select **OK**.
+
+ > [!div class="mx-imgBorder"]
+ > 
- d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
+ 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
- e. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
+ 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
- 
+ > [!div class="mx-imgBorder"]
+ > 
- f. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
+ 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
- The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
-
- 
+ The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
+ > [!div class="mx-imgBorder"]
+ > 
10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
**Assignments** \> **Edit**.
- 
+ 
11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of
@@ -255,7 +233,8 @@ the device via Company Portal app. This assignment can be done by navigating to
the *Required* section \> **Add group,** selecting the user group and click
**Select**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
12. In the **Edit Application** page, review all the information that was entered
@@ -268,7 +247,8 @@ assignment.
clicking on the **Device Install Status**. Verify that the device is
displayed here.
- 
+ > [!div class="mx-imgBorder"]
+ > 
2. On the device, you can confirm the same by going to the **work profile** and
@@ -279,7 +259,7 @@ confirm that Microsoft Defender ATP is available.
3. When the app is installed, open the app and accept the permissions
and then your onboarding should be successful.
- 
+ 
4. At this stage the device is successfully onboarded onto Microsoft Defender
ATP for Android. You can verify this on the [Microsoft Defender Security
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index de60666730..320472ce86 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -289,7 +289,7 @@ This rule helps prevent credential stealing, by locking down Local Security Auth
LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
> [!NOTE]
-> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index cb7648e275..0c4f1d9b83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -14,6 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.reviewer: ramarom, evaldm, isco, mabraitm
---
# View details and results of automated investigations
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index bd94cf5240..807094bae7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -10,11 +10,14 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
+ms.date: 09/03/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.custom: AIR
---
# Overview of automated investigations
@@ -72,19 +75,21 @@ You can configure the following levels of automation:
|Automation level | Description|
|---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.
*This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*|
+|**Full - remediate threats automatically** | All remediation actions are performed automatically.
***This option is recommended** and is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020, and have no device groups defined.
If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders are automatically remediated, if needed.|
|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*|
-|**No automated response** | Devices do not get any automated investigations run on them.
*This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
+|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020, and have no device groups defined.
If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**No automated response** | Devices do not get any automated investigations run on them.
***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
> [!IMPORTANT]
> A few points of clarification regarding automation levels and default settings:
-> - If your tenant already has device groups defined, the automation level settings are not changed.
-> - If your tenant was onboarded to Microsoft Defender ATP before August 16, 2020, your organization's first device group is set to **Semi - require approval for any remediation** by default.
-> - If your tenant is onboarded on or after August 16, 2020, when your organization's first device group is set to **Full - remediate threats automatically**.
-> - To change an automation level, edit your [device groups](configure-automated-investigations-remediation.md#set-up-device-groups).
+> - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
+> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
+> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**.
+> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
+> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
+> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
### A few points to keep in mind
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index 558f93dfb9..07e42ab409 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -56,7 +56,7 @@ The following OS versions are not supported:
- macOS
- Linux
-The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019:
+The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2020:
## Threat Analytics
Not currently available.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index a4c17d2c2a..d58f9ec52b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -15,6 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm
---
# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index e605898b2f..893c9a3eaa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -95,5 +95,4 @@ This section lists various issues that you may encounter when using email notifi
## Related topics
- [Update data retention settings](data-retention-settings.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
index ebc09038ff..de35e7ec30 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
@@ -31,30 +31,32 @@ ms.topic: article
You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
-> [!NOTE]
-> The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 devices](configure-endpoints.md).
+> [!IMPORTANT]
+> This script has been optimized for use on up to 10 devices.
+>
+> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md).
## Onboard devices
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Onboarding**.
+ 1. In the navigation pane, select **Settings** > **Onboarding**.
- b. Select Windows 10 as the operating system.
+ 1. Select Windows 10 as the operating system.
- c. In the **Deployment method** field, select **Local Script**.
+ 1. In the **Deployment method** field, select **Local Script**.
- d. Click **Download package** and save the .zip file.
+ 1. Click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the device and run the script:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
- 
+ 
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
@@ -73,7 +75,7 @@ You can manually configure the sample sharing setting on the device by using *re
The configuration is set through the following registry key entry:
-```
+```console
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "AllowSampleCollection"
Value: 0 or 1
@@ -95,23 +97,23 @@ For security reasons, the package used to Offboard devices will expire 30 days a
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Offboarding**.
+ 1. In the navigation pane, select **Settings** > **Offboarding**.
- b. Select Windows 10 as the operating system.
+ 1. Select Windows 10 as the operating system.
- c. In the **Deployment method** field, select **Local Script**.
+ 1. In the **Deployment method** field, select **Local Script**.
- d. Click **Download package** and save the .zip file.
+ 1. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the device and run the script:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
- 
+ 
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 771c2b866b..07ede3efae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -63,25 +63,21 @@ The following steps will guide you through onboarding VDI devices and will highl
1. Click **Download package** and save the .zip file.
-2. Copy all the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
+2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
- >[!NOTE]
- >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+ 1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
-3. The following step is only applicable if you're implementing a single entry for each device:
- **For single entry for each device**:
+ 1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
- 1. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
+ > [!NOTE]
+ > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
- > [!NOTE]
- > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
-
-4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
+3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
> [!NOTE]
> Domain Group Policy may also be used for onboarding non-persistent VDI devices.
-5. Depending on the method you'd like to implement, follow the appropriate steps:
+4. Depending on the method you'd like to implement, follow the appropriate steps:
**For single entry for each device**:
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
@@ -90,7 +86,7 @@ The following steps will guide you through onboarding VDI devices and will highl
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
-6. Test your solution:
+5. Test your solution:
1. Create a pool with one device.
@@ -103,9 +99,9 @@ The following steps will guide you through onboarding VDI devices and will highl
1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
**For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
-7. Click **Devices list** on the Navigation pane.
+6. Click **Devices list** on the Navigation pane.
-8. Use the search function by entering the device name and select **Device** as search type.
+7. Use the search function by entering the device name and select **Device** as search type.
## Updating non-persistent virtual desktop infrastructure (VDI) images
As a best practice, we recommend using offline servicing tools to patch golden/master images.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 18707f606c..9469ec674f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -111,7 +111,7 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
[Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
-If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
+If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
> [!NOTE]
> settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.
@@ -150,7 +150,7 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\
- \+\
-You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
+You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=56519).
> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index 55552af86b..644ad754c1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -252,7 +252,6 @@ For more information about customizing the notification when a rule is triggered
## See also
* [Protect devices from exploits](exploit-protection.md)
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Enable exploit protection](enable-exploit-protection.md)
* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index 9cc9cb48ba..861f8c6cd2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -50,5 +50,4 @@ You can verify the data location by navigating to **Settings** > **Data retentio
## Related topics
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index c611445181..74c12b3f99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -242,7 +242,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
## Related topics
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index bb2325ee28..f081c6ad4a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -41,7 +41,7 @@ Enable network protection by using any of these methods:
* [PowerShell](#powershell)
* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mobile-device-management-mmd)
+* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
@@ -80,7 +80,7 @@ Enable network protection by using any of these methods:
6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**.
-### Mobile Device Management (MMD)
+### Mobile Device Management (MDM)
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index dabee673ee..1946579864 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.date: 10/21/2019
+ms.date: 08/28/2020
ms.reviewer:
manager: dansimp
---
@@ -22,7 +22,7 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection.
+[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.
@@ -72,12 +72,12 @@ Where:
|Mitigation | Audit mode cmdlet |
|---|---|
- |Arbitrary code guard (ACG) | AuditDynamicCode |
- |Block low integrity images | AuditImageLoad
- |Block untrusted fonts | AuditFont, FontAuditOnly |
- |Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
- |Disable Win32k system calls | AuditSystemCall |
- |Do not allow child processes | AuditChildProcess |
+ |Arbitrary code guard (ACG) | `AuditDynamicCode` |
+ |Block low integrity images | `AuditImageLoad`
+ |Block untrusted fonts | `AuditFont`, `FontAuditOnly` |
+ |Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` |
+ |Disable Win32k system calls | `AuditSystemCall` |
+ |Do not allow child processes | `AuditChildProcess` |
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
@@ -100,13 +100,9 @@ To review which apps would have been blocked, open Event Viewer and filter for t
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
-## Related topics
+## See also
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-* [Enable network protection](enable-network-protection.md)
-* [Enable controlled folder access](enable-controlled-folders.md)
-* [Enable attack surface reduction](enable-attack-surface-reduction.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
new file mode 100644
index 0000000000..d8f35500f4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
@@ -0,0 +1,717 @@
+---
+title: Exploit Protection Reference
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Details on how the Exploit Protection feature works in Windows 10
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: ITPro
+author: appcompatguy
+ms.author: cjacks
+ms.date: 07/20/2020
+ms.reviewer:
+manager: saudm
+ms.custom: asr
+---
+
+# Exploit Protection Reference
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Exploit Protection provides advanced protections for applications which the IT Pro can apply after the developer has compiled and distributed the software.
+
+This article helps you understand how Exploit Protection works, both at the policy level and at the individual mitigation level, to help you successfully build and apply Exploit Protection policies.
+
+## How mitigations are applied
+
+Exploit Protection mitigations are applied per application.
+
+Mitigations are configured via a registry entry for each program that you configure protections for. These settings are stored in the **MitigationOptions** registry entry for each program (**HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ *ImageFileName* \ MitigationOptions**). They take effect when you restart the program and remain effective until you change them and restart the program again.
+
+> [!IMPORTANT]
+> Image File Execution Options only allows you to specify a file name or path, and not a version number, architecture, or any other differentiator. Be careful to target mitigations to apps which have unique names or paths, applying them only on devices where you have tested that version and that architecture of the application.
+
+If you configure Exploit Protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you.
+
+When the policy distributing the XML file is no longer enforced, settings deployed by this XML configuration file will not be automatically removed. To remove Exploit Protection settings, export the XML configuration from a clean Windows 10 device, and deploy this new XML file. Alternately, Microsoft provides an XML file as part of the Windows Security Baselines for resetting Exploit Protection settings.
+
+To reset Exploit Protection settings using PowerShell, you could use the following command:
+
+```powershell
+Set-ProcessMitigation -PolicyFilePath EP-reset.xml
+```
+Following is the EP-reset.xml distributed with the Windows Security Baselines:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Mitigation Reference
+
+The below sections detail the protections provided by each Exploit Protection mitigation, the compatibility considerations for the mitigation, and the configuration options available.
+
+## Arbitrary code guard
+
+### Description
+
+Arbitrary Code Guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code.
+
+Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED).
+
+By preventing the *execute* flag from being set, the Data Execution Prevention feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code.
+
+### Compatibility considerations
+
+Arbitrary Code Guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation.
+
+### Configuration options
+
+**Allow thread opt-out** - You can configure the mitigation to allow an individual thread to opt-out of this protection. The developer must have written the application with awareness of this mitigation, and have called the [**SetThreadInformation**](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadinformation) API with the *ThreadInformation* parameter set to **ThreadDynamicCodePolicy** in order to be allowed to execute dynamic code on this thread.
+
+**Audit only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block low integrity images
+
+### Description
+
+Block low integrity images prevents the application from loading files which are untrusted, typically because they have been downloaded from the internet from a sandboxed browser.
+
+This mitigation will block image loads if the image has an Access Control Entry (ACE) which grants access to Low IL processes and which does not have a trust label ACE. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a low integrity image, it will trigger a STATUS_ACCESS_DENIED error. For details on how integrity levels work, see [Mandatory Integrity Control](https://docs.microsoft.com/windows/win32/secauthz/mandatory-integrity-control).
+
+### Compatibility considerations
+
+Block low integrity images will prevent the application from loading files which were downloaded from the internet. If your application workflow requires loading images which are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block remote images
+
+### Description
+
+Block remote images will prevent the application from loading files which are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory which are on an external device controlled by the attacker.
+
+This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error.
+
+### Compatibility considerations
+
+Block remote images will prevent the application from loading images from remote devices. If your application loads files or plug-ins from remote devices, then it will not be compatible with this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block untrusted fonts
+
+### Description
+
+Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker being able to run code on the device. Only fonts which are installed into the windows\fonts directory will be loaded for processing by GDI.
+
+This mitigation is implemented within GDI, which validates the location of the file. If the file is not in the system fonts directory, the font will not be loaded for parsing and that call will fail.
+
+Note that this mitigation is in addition to the built-in mitigation provided in Windows 10 1607 and later, which moves font parsing out of the kernel and into a user-mode app container. Any exploit based on font parsing, as a result, happens in a sandboxed and isolated context, which reduces the risk significantly. For details on this mitigation, see the blog [Hardening Windows 10 with zero-day exploit mitigations](https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/).
+
+### Compatibility considerations
+
+The most common use of fonts outside of the system fonts directory is with [web fonts](https://docs.microsoft.com/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365 which use font glyphs to display UI.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Code integrity guard
+
+### Description
+
+Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
+
+This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary which is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process.
+
+### Compatibility considerations
+
+This mitigation specifically blocks any binary which is not signed by Microsoft. As such, it will be incompatible with most third party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected.
+
+### Configuration options
+
+**Also allow loading of images signed by Microsoft Store** - Applications which are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries which have gone through the store certification process to be loaded by the application.
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Control flow guard (CFG)
+
+### Description
+
+Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
+
+This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications which are compiled with CFG support can benefit from this mitigation.
+
+The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation.
+
+### Compatibility considerations
+
+Since applications must be compiled to support CFG, they implicitly declare their compatibility with it. Most applications, therefore, should work with this mitigation enabled. Because these checks are compiled into the binary, the configuration you can apply is merely to disable checks within the Windows kernel. In other words, the mitigation is on by default, but you can configure the Windows kernel to always return "yes" if you later determine that there is a compatibility issue that the application developer did not discover in their testing, which should be rare.
+
+### Configuration options
+
+**Use strict CFG** - In strict mode, all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
+
+> [!Note]
+> **Control flow guard** has no audit mode. Binaries are compiled with this mitigation enabled.
+
+## Data Execution Prevention (DEP)
+
+### Description
+
+Data Execution Prevention (DEP) prevents memory which was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
+
+If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash.
+
+### Compatibility considerations
+
+All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is generally assumed.
+
+All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some very old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (e.g. JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
+
+### Configuration options
+
+**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called thunking. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory which is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications which have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled.
+
+## Disable extension points
+
+### Description
+
+This mitigation disables various extension points for an application, which might be used to establish persistence or elevate privileges of malicious content.
+
+This includes:
+
+- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Note that, beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/windows/win32/dlls/secure-boot-and-appinit-dlls).
+- **Legacy IMEs** - An Input Method Editor (IME) allows a user to type text in a language that has more characters than can be represented on a keyboard. Third parties are able to create IMEs. A malicious IME might obtain credentials or other sensitive information from this input capture. Some IMEs, referred to as Legacy IMEs, will only work on Windows Desktop apps, and not UWP apps. This mitigation will also prevent this legacy IME from loading into the specified Windows Desktop app.
+- **Windows Event Hooks** - An application can call the [SetWinEventHook API](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-setwineventhook) to register interest in an event taking place. A DLL is specified and can be injected into the process. This mitigation forces the hook to be posted to the registering process rather than running in-process through an injected DLL.
+
+### Compatibility considerations
+
+Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using 3rd party Legacy IMEs which will not work with the protected application.
+
+### Configuration options
+
+There are no configuration options for this mitigation.
+
+> [!Note]
+> **Disable extension points** has no audit mode.
+
+## Disable Win32k system calls
+
+### Description
+
+Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode component, it is frequently targeted as an escape vector for applications that are sandboxed. This mitigation prevents calls into win32k.sys by blocking a thread from converting itself into a GUI thread, which is then given access to invoke Win32k functions. A thread is non-GUI when created, but converted on first call to win32k.sys, or through an API call to [IsGuiThread](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-isguithread).
+
+### Compatibility considerations
+
+This mitigation is designed for processes which are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application which displays a GUI using a single process will be impacted by this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Do not allow child processes
+
+### Description
+
+This mitigation prevents an application from creating new child applications. A common technique used by adversaries is to initiate a trusted process on the device with malicious input (a "living off the land" attack), which often requires launching another application on the device. If there are no legitimate reasons why an application would launch a child process, this mitigation mitigates that potential attack vector. The mitigation is applied by setting a property on the process token, which blocks creating a token for the child process with the error message STATUS_CHILD_PROCESS_BLOCKED.
+
+### Compatibility considerations
+
+If your application launches child applications for any reason, such as supporting hyperlinks which launch a browser or an external browser, or which launch other utilities on the computer, this functionality will be broken with this mitigation applied.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Export address filtering
+
+### Description
+
+Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects 3 commonly attacked modules:
+
+- ntdll.dll
+- kernelbase.dll
+- kernel32.dll
+
+The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.
+
+### Compatibility considerations
+
+This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.
+
+### Configuration options
+
+**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules:
+
+- mshtml.dll
+- flash*.ocx
+- jscript*.ocx
+- vbscript.dll
+- vgx.dll
+- mozjs.dll
+- xul.dll
+- acrord32.dll
+- acrofx32.dll
+- acroform.api
+
+Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Force randomization for images (Mandatory ASLR)
+
+### Description
+
+Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
+
+Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019) linker option, and this mitigation has the same effect.
+
+When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-bottom-up-aslr).
+
+### Compatibility considerations
+
+This compatibility impact of ASLR is typically constrained to older applications which were built using compilers which made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory.
+
+### Configuration options
+
+**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table](https://docs.microsoft.com/windows/win32/debug/pe-format#the-reloc-section-image-only) which the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address).
+
+> [!Note]
+> **Force randomization for images (Mandatory ASLR)** has no audit mode.
+
+## Import address filtering (IAF)
+
+### Description
+
+The Import address filtering (IAF) mitigation helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called. An attacker could use this approach to hijack control, or to intercept, inspect, and potentially block calls to sensitive APIs.
+
+The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to them. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.
+
+This mitigation protects the following Windows APIs:
+
+- GetProcAddress
+- GetProcAddressForCaller
+- LoadLibraryA
+- LoadLibraryExA
+- LoadLibraryW
+- LoadLibraryExW
+- LdrGetProcedureAddress
+- LdrGetProcedureAddressEx
+- LdrGetProcedureAddressForCaller
+- LdrLoadDll
+- VirtualProtect
+- VirtualProtectEx
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- NtProtectVirtualMemory
+- CreateProcessA
+- CreateProcessW
+- WinExec
+- CreateProcessAsUserA
+- CreateProcessAsUserW
+- GetModuleHandleA
+- GetModuleHandleW
+- RtlDecodePointer
+- DecodePointer
+
+### Compatibility considerations
+
+Legitimate applications which perform API interception may be detected by this mitigation and cause some applications to crash. Examples include security software and application compatibility shims.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Randomize memory allocations (Bottom-up ASLR)
+
+### Description
+
+Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their location is randomized and therefore less predictable. This mitigation requires Mandatory ASLR to take effect.
+
+Note that the size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it significantly more difficult for an attacker to guess a location in memory.
+
+### Compatibility considerations
+
+Most applications which are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4GB), and thus will be incompatible with the high entropy option (which can be disabled).
+
+### Configuration options
+
+**Don't use high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1TB of variance) into the bottom-up allocation for 64-bit applications.
+
+> [!Note]
+> **Randomize memory allocations (Bottom-up ASLR)** has no audit mode.
+
+## Simulate execution (SimExec)
+
+### Description
+
+Simulate execution (SimExec) is a mitigation for 32-bit applications only which helps validate that calls to sensitive APIs will return to legitimate caller functions. It does this by intercepting calls into sensitive APIs, and then simulating the execution of those APIs by walking through the encoded assembly language instructions looking for the RET instruction, which should return to the caller. It then inspects that function and walks backwards in memory to find the preceding CALL instruction to compare if the two match and that the RET hasn't been intercepted.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+If a ROP gadget is detected, the process is terminated.
+
+### Compatibility considerations
+
+Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation.
+
+This mitigation is incompatible with the Arbitrary Code Guard mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate API invocation (CallerCheck)
+
+### Description
+
+Validate API invocation (CallerCheck) is a mitigation for return oriented programming (ROP) techniques which validates that sensitive APIs were called from a valid caller. This mitigation inspects the passed return address, and then heuristically disassembles backwards to find a call above the return address to determine if the call target matches the parameter passed into the function.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+If a ROP gadget is detected, the process is terminated.
+
+### Compatibility considerations
+
+Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation.
+
+This mitigation is incompatible with the Arbitrary Code Guard mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate exception chains (SEHOP)
+
+### Description
+
+Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
+
+This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that:
+
+- All exception chain records are within the stack boundaries
+- All exception records are aligned
+- No exception handler pointers are pointing to the stack
+- There are no backward pointers
+- The exception chain ends at a known final exception handler
+
+If these validations fail, then exception handling is aborted, and the exception will not be handled.
+
+### Compatibility considerations
+
+Compatibility issues with SEHOP are relatively rare. It's uncommon for an application to take a dependency on corrupting the exception chain. However, some applications are impacted by the subtle changes in timing, which may manifest as a race condition that reveals a latent multi-threading bug in the application.
+
+### Configuration options
+
+> [!Note]
+> **Validate exception chains (SEHOP)** has no audit mode.
+
+## Validate handle usage
+
+### Description
+
+*Validate handle usage* is a mitigation which helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
+
+This mitigation is automatically applied to Windows Store applications.
+
+### Compatibility considerations
+
+Applications which were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation.
+
+### Configuration options
+
+> [!Note]
+> **Validate handle usage** has no audit mode.
+
+## Validate heap integrity
+
+### Description
+
+The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include:
+
+- Preventing a HEAP handle from being freed
+- Performing additional validation on extended block headers for heap allocations
+- Verifying that heap allocations are not already flagged as in-use
+- Adding guard pages to large allocations, heap segments, and subsegments above a minimum size
+
+### Compatibility considerations
+
+This mitigation is already applied by default for 64-bit applications and for 32-bit applications targeting Windows Vista or later. Legacy applications from Windows XP or earlier are most at-risk, though compatibility issues are rare.
+
+### Configuration options
+
+> [!Note]
+> **Validate heap integrity** has no audit mode.
+
+## Validate image dependency integrity
+
+### Description
+
+The *validate image dependency* mitigation helps protect against attacks which attempt to substitute code for dlls which are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH.
+
+### Compatibility considerations
+
+Compatibility issues are uncommon. Applications which depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate stack integrity (StackPivot)
+
+### Description
+
+The *validate stack integrity (StackPivot) mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack which controls the flow of execution.
+
+This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+### Compatibility considerations
+
+Compatibility issues are uncommon. Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index 49d1fcd691..b330f4798b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -36,10 +36,10 @@ When a mitigation is encountered on the device, a notification will be displayed
You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
-Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
+Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see [Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml).
> [!IMPORTANT]
-> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10.
+> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). Consider replacing EMET with exploit protection in Windows 10.
> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
@@ -61,34 +61,34 @@ DeviceEvents
You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
-Provider/source | Event ID | Description
--|-|-
-Security-Mitigations | 1 | ACG audit
-Security-Mitigations | 2 | ACG enforce
-Security-Mitigations | 3 | Do not allow child processes audit
-Security-Mitigations | 4 | Do not allow child processes block
-Security-Mitigations | 5 | Block low integrity images audit
-Security-Mitigations | 6 | Block low integrity images block
-Security-Mitigations | 7 | Block remote images audit
-Security-Mitigations | 8 | Block remote images block
-Security-Mitigations | 9 | Disable win32k system calls audit
-Security-Mitigations | 10 | Disable win32k system calls block
-Security-Mitigations | 11 | Code integrity guard audit
-Security-Mitigations | 12 | Code integrity guard block
-Security-Mitigations | 13 | EAF audit
-Security-Mitigations | 14 | EAF enforce
-Security-Mitigations | 15 | EAF+ audit
-Security-Mitigations | 16 | EAF+ enforce
-Security-Mitigations | 17 | IAF audit
-Security-Mitigations | 18 | IAF enforce
-Security-Mitigations | 19 | ROP StackPivot audit
-Security-Mitigations | 20 | ROP StackPivot enforce
-Security-Mitigations | 21 | ROP CallerCheck audit
-Security-Mitigations | 22 | ROP CallerCheck enforce
-Security-Mitigations | 23 | ROP SimExec audit
-Security-Mitigations | 24 | ROP SimExec enforce
-WER-Diagnostics | 5 | CFG Block
-Win32K | 260 | Untrusted Font
+|Provider/source | Event ID | Description|
+|---|---|---|
+|Security-Mitigations | 1 | ACG audit |
+|Security-Mitigations | 2 | ACG enforce |
+|Security-Mitigations | 3 | Do not allow child processes audit |
+|Security-Mitigations | 4 | Do not allow child processes block |
+|Security-Mitigations | 5 | Block low integrity images audit |
+|Security-Mitigations | 6 | Block low integrity images block |
+|Security-Mitigations | 7 | Block remote images audit |
+|Security-Mitigations | 8 | Block remote images block |
+|Security-Mitigations | 9 | Disable win32k system calls audit |
+|Security-Mitigations | 10 | Disable win32k system calls block |
+|Security-Mitigations | 11 | Code integrity guard audit |
+|Security-Mitigations | 12 | Code integrity guard block |
+|Security-Mitigations | 13 | EAF audit |
+|Security-Mitigations | 14 | EAF enforce |
+|Security-Mitigations | 15 | EAF+ audit |
+|Security-Mitigations | 16 | EAF+ enforce |
+|Security-Mitigations | 17 | IAF audit |
+|Security-Mitigations | 18 | IAF enforce |
+|Security-Mitigations | 19 | ROP StackPivot audit |
+|Security-Mitigations | 20 | ROP StackPivot enforce |
+|Security-Mitigations | 21 | ROP CallerCheck audit |
+|Security-Mitigations | 22 | ROP CallerCheck enforce |
+|Security-Mitigations | 23 | ROP SimExec audit |
+|Security-Mitigations | 24 | ROP SimExec enforce |
+|WER-Diagnostics | 5 | CFG Block |
+|Win32K | 260 | Untrusted Font |
## Mitigation comparison
@@ -96,38 +96,36 @@ The mitigations available in EMET are included natively in Windows 10 (starting
The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
-Mitigation | Available under Exploit protection | Available in EMET
--|-|-
-Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+|Mitigation | Available under exploit protection | Available in EMET |
+|---|---|---|
+|Arbitrary code guard (ACG) | yes | yes
As "Memory Protection Check" |
+|Block remote images | yes | yes
As "Load Library Check" |
+|Block untrusted fonts | yes | yes |
+|Data Execution Prevention (DEP) | yes | yes |
+|Export address filtering (EAF) | yes | yes |
+|Force randomization for images (Mandatory ASLR) | yes | yes |
+|NullPage Security Mitigation | yes
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
+|Randomize memory allocations (Bottom-Up ASLR) | yes | yes |
+|Simulate execution (SimExec) | yes | yes |
+|Validate API invocation (CallerCheck) | yes | yes |
+|Validate exception chains (SEHOP) | yes | yes |
+|Validate stack integrity (StackPivot) | yes | yes |
+|Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | yes |
+|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
+|Block low integrity images | yes | no |
+|Code integrity guard | yes | no |
+|Disable extension points | yes | no |
+|Disable Win32k system calls | yes | no |
+|Do not allow child processes | yes | no |
+|Import address filtering (IAF) | yes | no |
+|Validate handle usage | yes | no |
+|Validate heap integrity | yes | no |
+|Validate image dependency integrity | yes | no |
> [!NOTE]
-> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
->
-> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-## Related articles
+## See also
- [Protect devices from exploits](exploit-protection.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png b/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png
index 74de422642..46c2427055 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png and b/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png b/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png
index 9c2f6b242e..62e3dfceac 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png and b/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png
index 5fd6b06a58..89da77d866 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png b/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png
index d1f02b93a7..101020a8fb 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png and b/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-addandroidstoreapp.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-addandroidstoreapp.png
new file mode 100644
index 0000000000..898b158eb2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-addandroidstoreapp.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-addappinfo.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-addappinfo.png
new file mode 100644
index 0000000000..8ce56b5bd0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-addappinfo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-devicesafe.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-devicesafe.png
new file mode 100644
index 0000000000..3b8e7507b6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-devicesafe.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png
new file mode 100644
index 0000000000..9c0ce1f98b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 322278414a..3e4e0b9f14 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -64,7 +64,7 @@ When you've configured exploit protection to your desired state (including both
Example command:
- **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
+ `Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml`
> [!IMPORTANT]
> When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
@@ -88,7 +88,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
Example command:
- **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
+ `Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml`
> [!IMPORTANT]
>
@@ -115,16 +115,16 @@ You can use Group Policy to deploy the configuration you've created to multiple
5. In the **Options:** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
- * C:\MitigationSettings\Config.XML
- * \\\Server\Share\Config.xml
- * https://localhost:8080/Config.xml
- * C:\ExploitConfigfile.xml
+ * `C:\MitigationSettings\Config.XML`
+ * `\\Server\Share\Config.xml`
+ * `https://localhost:8080/Config.xml`
+ * `C:\ExploitConfigfile.xml`
6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
-## Related topics
+## See also
-* [Protect devices from exploits](exploit-protection.md)
-* [Evaluate exploit protection](evaluate-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Protect devices from exploits](exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
new file mode 100644
index 0000000000..1a7490d88e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
@@ -0,0 +1,226 @@
+---
+title: Microsoft Defender ATP for iOS Application license terms
+ms.reviewer:
+description: Describes the Microsoft Defender ATP for iOS license terms
+keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: sunasing
+author: sunasing
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+hideEdit: true
+---
+
+# Microsoft Defender ATP for iOS application license terms
+
+## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
+
+These license terms ("Terms") are an agreement between Microsoft Corporation (or
+based on where you live, one of its affiliates) and you. Please read them. They
+apply to the application named above. These Terms also apply to any Microsoft
+
+- updates,
+
+- supplements,
+
+- Internet-based services, and
+
+- support services
+
+for this application, unless other terms accompany those items. If so, those
+terms apply.
+
+**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
+DO NOT USE THE APPLICATION.**
+
+**If you comply with these Terms, you have the perpetual rights below.**
+
+1. **INSTALLATION AND USE RIGHTS.**
+
+ 1. **Installation and Use.** You may install and use any number of copies
+ of this application on iOS enabled device or devices which you own
+ or control. You may use this application with your company's valid
+ subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
+ an online service that includes MDATP functionalities.
+
+ 2. **Updates.** Updates or upgrades to MDATP may be required for full
+ functionality. Some functionality may not be available in all countries.
+
+ 3. **Third Party Programs.** The application may include third party
+ programs that Microsoft, not the third party, licenses to you under this
+ agreement. Notices, if any, for the third-party program are included for
+ your information only.
+
+2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
+ Internet access, data transfer and other services per the terms of the data
+ service plan and any other agreement you have with your network operator due
+ to use of the application. You are solely responsible for any network
+ operator charges.
+
+3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
+ the application. It may change or cancel them at any time.
+
+ 1. Consent for Internet-Based or Wireless Services. The application may
+ connect to Internet-based wireless services. Your use of the application
+ operates as your consent to the transmission of standard device
+ information (including but not limited to technical information about
+ your device, system and application software, and peripherals) for
+ Internet-based or wireless services. If other terms are provided in
+ connection with your use of the services, those terms also apply.
+
+ - Data. Some online services require, or may be enhanced by, the
+ installation of local software like this one. At your, or your
+ admin's direction, this software may send data from a device to or
+ from an online service.
+
+ - Usage Data. Microsoft automatically collects usage and performance
+ data over the internet. This data will be used to provide and
+ improve Microsoft products and services and enhance your experience.
+ You may limit or control collection of some usage and performance
+ data through your device settings. Doing so may disrupt your use of
+ certain features of the application. For additional information on
+ Microsoft's data collection and use, see the [Online Services
+ Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
+
+ 2. Misuse of Internet-based Services. You may not use any Internet-based
+ service in any way that could harm it or impair anyone else's use of it
+ or the wireless network. You may not use the service to try to gain
+ unauthorized access to any service, data, account or network by any
+ means.
+
+4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
+ give to Microsoft, without charge, the right to use, share and commercialize
+ your feedback in any way and for any purpose. You also give to third
+ parties, without charge, any patent rights needed for their products,
+ technologies and services to use or interface with any specific parts of a
+ Microsoft software or service that includes the feedback. You will not give
+ feedback that is subject to a license that requires Microsoft to license its
+ software or documentation to third parties because we include your feedback
+ in them. These rights survive this agreement.
+
+5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
+ only gives you some rights to use the application. Microsoft reserves all
+ other rights. Unless applicable law gives you more rights despite this
+ limitation, you may use the application only as expressly permitted in this
+ agreement. In doing so, you must comply with any technical limitations in
+ the application that only allow you to use it in certain ways. You may not
+
+ - work around any technical limitations in the application;
+
+ - reverse engineer, decompile or disassemble the application, except and
+ only to the extent that applicable law expressly permits, despite this
+ limitation;
+
+ - make more copies of the application than specified in this agreement or
+ allowed by applicable law, despite this limitation;
+
+ - publish the application for others to copy;
+
+ - rent, lease or lend the application; or
+
+ - transfer the application or this agreement to any third party.
+
+6. **EXPORT RESTRICTIONS.** The application is subject to United States export
+ laws and regulations. You must comply with all domestic and international
+ export laws and regulations that apply to the application. These laws
+ include restrictions on destinations, end users and end use. For additional
+ information,
+ see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
+
+7. **SUPPORT SERVICES.** Because this application is "as is," we may not
+ provide support services for it. If you have any issues or questions about
+ your use of this application, including questions about your company's
+ privacy policy, please contact your company's admin. Do not contact the
+ application store, your network operator, device manufacturer, or Microsoft.
+ The application store provider has no obligation to furnish support or
+ maintenance with respect to the application.
+
+8. **APPLICATION STORE.**
+
+ 1. If you obtain the application through an application store (e.g., App
+ Store), please review the applicable application store terms to ensure
+ your download and use of the application complies with such terms.
+ Please note that these Terms are between you and Microsoft and not with
+ the application store.
+
+ 2. The respective application store provider and its subsidiaries are third
+ party beneficiaries of these Terms, and upon your acceptance of these
+ Terms, the application store provider(s) will have the right to directly
+ enforce and rely upon any provision of these Terms that grants them a
+ benefit or rights.
+
+9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
+ Microsoft 365 are registered or common-law trademarks of Microsoft
+ Corporation in the United States and/or other countries.
+
+10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
+ Internet-based services, and support services that you use are the entire
+ agreement for the application and support services.
+
+11. **APPLICABLE LAW.**
+
+ 1. **United States.** If you acquired the application in the United States,
+ Washington state law governs the interpretation of this agreement and
+ applies to claims for breach of it, regardless of conflict of laws
+ principles. The laws of the state where you live govern all other
+ claims, including claims under state consumer protection laws, unfair
+ competition laws, and in tort.
+
+ 2. **Outside the United States.** If you acquired the application in any
+ other country, the laws of that country apply.
+
+12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
+ have other rights under the laws of your country. You may also have rights
+ with respect to the party from whom you acquired the application. This
+ agreement does not change your rights under the laws of your country if the
+ laws of your country do not permit it to do so.
+
+13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
+ FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
+ WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
+ EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
+ EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
+ APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+ APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
+ ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
+ CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
+ THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NON-INFRINGEMENT.**
+
+ **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
+
+14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
+ PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
+ ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
+ DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
+ INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
+
+This limitation applies to:
+
+- anything related to the application, services, content (including code) on
+ third party Internet sites, or third party programs; and
+
+- claims for breach of contract, warranty, guarantee or condition; consumer
+ protection; deception; unfair competition; strict liability, negligence,
+ misrepresentation, omission, trespass or other tort; violation of statute or
+ regulation; or unjust enrichment; all to the extent permitted by applicable
+ law.
+
+It also applies even if:
+
+a. Repair, replacement or refund for the application does not fully compensate
+ you for any losses; or
+
+b. Covered Parties knew or should have known about the possibility of the
+ damages.
+
+The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
index bc9ddc57fc..4e853d9875 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -215,6 +215,28 @@ Specifies the merge policy for threat type settings. This can be a combination o
| **Possible values** | merge (default)
admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+#### Antivirus scan history retention (in days)
+
+Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
+
+|||
+|:---|:---|
+| **Key** | scanResultsRetentionDays |
+| **Data type** | String |
+| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
+| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
+
+#### Maximum number of items in the antivirus scan history
+
+Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
+
+|||
+|:---|:---|
+| **Key** | scanHistoryMaximumItems |
+| **Data type** | String |
+| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
+| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
+
### Cloud-delivered protection preferences
The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
index a35d6e6d1a..61ec612679 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -19,6 +19,10 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Linux
+## 101.04.76
+
+- Bug fixes
+
## 101.03.48
- Bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index ba716299fe..0d734e593a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -155,7 +155,7 @@ registry HKEY_CURRENT_USER\Console
```
# Show information about a specific registry value
-registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
+registry HKEY_CURRENT_USER\Console\ScreenBufferSize
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index e2f79e5846..830692c78c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -233,6 +233,30 @@ Specify the merge policy for threat type settings. This can be a combination of
| **Possible values** | merge (default)
admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+#### Antivirus scan history retention (in days)
+
+Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | scanResultsRetentionDays |
+| **Data type** | String |
+| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
+| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. |
+
+#### Maximum number of items in the antivirus scan history
+
+Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | scanHistoryMaximumItems |
+| **Data type** | String |
+| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
+| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. |
+
### Cloud-delivered protection preferences
Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index 7367f5ccb6..c82f6bfdb6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -30,36 +30,31 @@ If you can reproduce a problem, increase the logging level, run the system for s
1. Increase logging level:
```bash
- mdatp --log-level verbose
+ mdatp log level set --level verbose
```
```Output
- Creating connection to daemon
- Connection established
- Operation succeeded
+ Log level configured successfully
```
2. Reproduce the problem
-3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash
- sudo mdatp --diagnostic --create
+ sudo mdatp diagnostic create
```
```Output
- Creating connection to daemon
- Connection established
+ Diagnostic file created: "/Library/Application Support/Microsoft/Defender/wdavdiag/932e68a8-8f2e-4ad0-a7f2-65eb97c0de01.zip"
```
4. Restore logging level:
```bash
- mdatp --log-level info
+ mdatp log level set --level info
```
```Output
- Creating connection to daemon
- Connection established
- Operation succeeded
+ Log level configured successfully
```
## Logging installation issues
@@ -85,30 +80,32 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Note that wh
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
-|Group |Scenario |Command |
-|-------------|-------------------------------------------|-----------------------------------------------------------------------|
-|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
-|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
-|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
-|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
-|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
-|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
-|Configuration|List all allowed threat names |`mdatp threat allowed list` |
-|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
-|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
-|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
-|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` |
-|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
-|Health |Check the product's health |`mdatp --health` |
-|Protection |Scan a path |`mdatp --scan --path [path]` |
-|Protection |Do a quick scan |`mdatp --scan --quick` |
-|Protection |Do a full scan |`mdatp --scan --full` |
-|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
-|Protection |Request a security intelligence update |`mdatp --definition-update` |
-|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0 |
-|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
-|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` |
+|Group |Scenario |Command |
+|-------------|-------------------------------------------|----------------------------------------------------------------------------------|
+|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` |
+|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` |
+|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` |
+|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` |
+|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
+|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
+|Configuration|List all allowed threat names |`mdatp threat allowed list` |
+|Configuration|Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action block` |
+|Configuration|Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action off` |
+|Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` |
+|Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` |
+|Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` |
+|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
+|Health |Check the product's health |`mdatp health` |
+|Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` |
+|Protection |Scan a path |`mdatp scan custom --path [path]` |
+|Protection |Do a quick scan |`mdatp scan quick` |
+|Protection |Do a full scan |`mdatp scan full` |
+|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
+|Protection |Request a security intelligence update |`mdatp definitions update` |
+|EDR |Turn on/off EDR preview for Mac |`mdatp edr early-preview [enabled/disabled]` |
+|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp edr tag set --name GROUP --value [name]` |
+|EDR |Remove group tag from device |`mdatp edr tag remove --tag-name [name]` |
+|EDR |Add Group Id |`mdatp edr group-ids --group-id [group]` |
### How to enable autocompletion
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
index 645b1ecce5..b06971e544 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
@@ -19,13 +19,17 @@ ms.topic: conceptual
# Schedule scans with Microsoft Defender ATP for Mac
-While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. Create a scanning schedule using launchd on a macOS computer.
+While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week.
-## Schedule a scan with launchd
+## Schedule a scan with *launchd*
-1. Create a new .xml file. Use the following example to create your scanning schedule file.
+You can create a scanning schedule using the *launchd* daemon on a macOS device.
- ```xml
+1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file.
+
+ For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website.
+
+ ```XML
@@ -60,22 +64,30 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
```
-2. Save the file as a program configuration file (.plist) with the name com.microsoft.wdav.schedquickscan.plist.
+2. Save the file as *com.microsoft.wdav.schedquickscan.plist*.
- >[!NOTE]
- >To change a quick scan to a full scan, use /usr/local/bin/mdatp --scan –full in the array string and update your .plist filename.
+ > [!TIP]
+ > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
-3. Search for, and then open **Terminal**.
-4. To load your file into **launchd**, enter the following commands:
+3. Open **Terminal**.
+4. Enter the following commands to load your file:
```bash
launchctl load /Library/LaunchDaemons/
- ```
- ```bash
launchctl start
```
-5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every seven days on a Friday, with the StartInterval using 604,800 seconds for one week.
+5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday.
- > [!NOTE]
- > Agents executed with launchd will not run at the scheduled time if the computer is asleep, but will run once the computer is awake. If the computer is off, the scan will not run until the computer is on at the next scheduled time.
+ Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday.
+
+ > [!IMPORTANT]
+ > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode.
+ >
+ > If the device is turned off, the scan will run at the next scheduled scan time.
+
+## Schedule a scan with Intune
+
+You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender Advanced Threat Protection](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode.
+
+See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index ce8693466d..869b785877 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -38,6 +38,17 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
+## 101.07.23
+
+- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID
+
+ > [!NOTE]
+ > `mdatp --health` will be replaced with `mdatp health` in a future product update.
+
+- Fixed a bug where automatic sample submission was not marked as managed in the user interface
+- Added new settings for controlling the retention of items in the antivirus scan history. You can now [specify the number of days to retain items in the scan history](mac-preferences.md#antivirus-scan-history-retention-in-days) and [specify the maximum number of items in the scan history](mac-preferences.md#maximum-number-of-items-in-the-antivirus-scan-history)
+- Bug fixes
+
## 101.06.63
- Addressed a performance regression introduced in version `101.05.17`. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
index 022658e40b..1200b24369 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
@@ -15,6 +15,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection with Configuration Manager
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
index 1e7317f3e8..299b6b807e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
@@ -15,6 +15,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection with Group Policy Objects
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
index 6801853a3f..43b5a8c70c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
@@ -15,6 +15,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection with Intune
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
index 245b969459..8629492da7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
@@ -15,6 +15,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection with PowerShell, WMI, and MPCmdRun.exe
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
index f716c99579..f06086dbc1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
@@ -14,7 +14,9 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
-ms.topic: article
+ms.topic: conceptual
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection, post migration
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
new file mode 100644
index 0000000000..9676eaf9e7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
@@ -0,0 +1,59 @@
+---
+title: Migrate from McAfee to Microsoft Defender ATP
+description: Make the switch from McAfee to Microsoft Defender ATP. Read this article for an overview.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+- m365solution-overview
+ms.topic: conceptual
+ms.custom: migrationguides
+ms.date: 09/03/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee to Microsoft Defender Advanced Threat Protection
+
+If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration.
+
+## The migration process
+
+When you switch from McAfee to Microsoft Defender ATP, you follow a process that can be divided into three phases, as described in the following table:
+
+|Phase |Description |
+|--|--|
+|[](mcafee-to-microsoft-defender-prepare.md)
[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. |
+|[](mcafee-to-microsoft-defender-setup.md)
[Set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[](mcafee-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender ATP is in active mode. |
+
+## What's included in Microsoft Defender ATP?
+
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP.
+
+| Feature/Capability | Description |
+|---|---|
+| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
+| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
+| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
+| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
+| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
+| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
+| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
+
+**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).**
+
+## Next step
+
+- Proceed to [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
new file mode 100644
index 0000000000..fcd726467f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
@@ -0,0 +1,92 @@
+---
+title: McAfee to Microsoft Defender ATP - Onboard
+description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender ATP.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-McAfeemigrate
+ms.custom: migrationguides
+ms.topic: article
+ms.date: 09/03/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender ATP
+
+|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
+|--|--|--|
+|| |*You are here!* |
+
+
+**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
+
+1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp).
+2. [Run a detection test](#run-a-detection-test).
+3. [Uninstall McAfee](#uninstall-mcafee).
+4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode).
+
+## Onboard devices to Microsoft Defender ATP
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. Choose **Settings** > **Device management** > **Onboarding**.
+
+3. In the **Select operating system to start onboarding process** list, select an operating system.
+
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods).
+
+### Onboarding methods
+
+Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
+
+|Operating system |Method |
+|---------|---------|
+|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
+|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
+
+## Run a detection test
+
+To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test.
+
+
+|Operating system |Guidance |
+|---------|---------|
+|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
+|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
+
+## Uninstall McAfee
+
+Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall McAfee.
+
+To get help with this step, go to your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
+
+## Make sure Microsoft Defender ATP is in active mode
+
+Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
+
+To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+- Cloud-delivered protection
+- Potentially Unwanted Applications (PUA)
+- Network Protection (NP)
+
+## Next steps
+
+**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
new file mode 100644
index 0000000000..257ff56b22
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
@@ -0,0 +1,119 @@
+---
+title: McAfee to Microsoft Defender ATP - Prepare
+description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/03/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 1: Prepare for your migration
+
+|
Phase 1: Prepare |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
+|--|--|--|
+|*You are here!*| | |
+
+
+**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
+
+This migration phase includes the following steps:
+1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
+2. [Get Microsoft Defender ATP](#get-microsoft-defender-atp).
+3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
+4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
+
+## Get and deploy updates across your organization's devices
+
+As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender ATP and Microsoft Defender Antivirus.
+
+### Make sure your McAfee solution is up to date
+
+Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources:
+
+- [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html)
+
+- [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830)
+
+- [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428)
+
+- Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com))
+
+### Make sure your organization's devices are up to date
+
+Need help updating your organization's devices? See the following resources:
+
+|OS | Resource |
+|:--|:--|
+|Windows |[Microsoft Update](https://www.update.microsoft.com) |
+|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
+|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
+|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
+|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
+
+## Get Microsoft Defender ATP
+
+Now that you've updated your organization's devices, the next step is to get Microsoft Defender ATP, assign licenses, and make sure the service is provisioned.
+
+1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp).
+
+2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
+
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
+
+At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+
+> [!NOTE]
+> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal.
+
+## Grant access to the Microsoft Defender Security Center
+
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
+
+Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
+
+1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
+
+2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
+
+ If your organization requires a method other than Intune, choose one of the following options:
+ - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
+ - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
+ - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
+
+3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
+
+## Configure device proxy and internet connectivity settings
+
+To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+
+|Capabilities | Operating System | Resources |
+|--|--|--|
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
+|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
+
+## Next step
+
+**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
new file mode 100644
index 0000000000..9d3017e042
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -0,0 +1,242 @@
+---
+title: McAfee to Microsoft Defender ATP - Setup
+description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender ATP.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/03/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 2: Set up Microsoft Defender ATP
+
+|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
+|--|--|--|
+||*You are here!* | |
+
+
+**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
+1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
+2. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-atp-to-the-exclusion-list-for-mcafee).
+3. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
+4. [Add McAfee to the exclusion list for Microsoft Defender ATP](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-atp).
+5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+
+## Enable Microsoft Defender Antivirus and confirm it's in passive mode
+
+On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
+
+This step of the migration process includes the following tasks:
+- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
+- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
+- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
+- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
+- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
+
+### Set DisableAntiSpyware to false on Windows Server
+
+The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+
+1. On your Windows Server device, open Registry Editor.
+
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
+
+3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
+
+ - If you do not see that entry, you're all set.
+
+ - If you do see **DisableAntiSpyware**, proceed to step 4.
+
+4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
+
+5. Set the value to `0`. (This sets the registry key's value to *false*.)
+
+> [!TIP]
+> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
+
+### Reinstall Microsoft Defender Antivirus on Windows Server
+
+> [!NOTE]
+> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
+> - Windows Server 2019
+> - Windows Server, version 1803 (core-only mode)
+> - Windows Server 2016
+
+1. As a local administrator on the endpoint or device, open Windows PowerShell.
+
+2. Run the following PowerShell cmdlets:
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+
+3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
+
+ `Get-Service -Name windefend`
+
+> [!TIP]
+> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+
+### Set Microsoft Defender Antivirus to passive mode on Windows Server
+
+Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP.
+
+1. Open Registry Editor, and then navigate to
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
+
+ - Set the DWORD's value to **1**.
+
+ - Under **Base**, select **Hexadecimal**.
+
+> [!NOTE]
+> You can use other methods to set the registry key, such as the following:
+>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
+
+### Enable Microsoft Defender Antivirus on your Windows client devices
+
+Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
+
+To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+
+|Method |What to do |
+|---------|---------|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+
+### Confirm that Microsoft Defender Antivirus is in passive mode
+
+Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+|Method |What to do |
+|---------|---------|
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+
+> [!NOTE]
+> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+
+## Add Microsoft Defender ATP to the exclusion list for McAfee
+
+This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for McAfee and any other security products your organization is using.
+
+> [!TIP]
+> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
+
+The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+
+|OS |Exclusions |
+|--|--|
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
+|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+
+## Add McAfee to the exclusion list for Microsoft Defender Antivirus
+
+During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list.
+
+When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+- Path exclusions exclude specific files and whatever those files access.
+- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
+- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
+
+You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
+
+|Method | What to do|
+|--|--|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+
+## Add McAfee to the exclusion list for Microsoft Defender ATP
+
+To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
+
+3. On the **File hashes** tab, choose **Add indicator**.
+
+3. On the **Indicator** tab, specify the following settings:
+ - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
+ - Under **Expires on (UTC)**, choose **Never**.
+
+4. On the **Action** tab, specify the following settings:
+ - **Response Action**: **Allow**
+ - Title and description
+
+5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+
+6. On the **Summary** tab, review the settings, and then click **Save**.
+
+### Find a file hash using CMPivot
+
+CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
+
+To use CMPivot to get your file hash, follow these steps:
+
+1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
+
+2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
+
+3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
+
+4. Select the **Query** tab.
+
+5. In the **Device Collection** list, and choose **All Systems (default)**.
+
+6. In the query box, type the following query:
+
+```kusto
+File(c:\\windows\\notepad.exe)
+| project Hash
+```
+> [!NOTE]
+> In the query above, replace *notepad.exe* with the your third-party security product process name.
+
+## Set up your device groups, device collections, and organizational units
+
+| Collection type | What to do |
+|--|--|
+|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
+|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+
+## Configure antimalware policies and real-time protection
+
+Using Configuration Manager and your device collection(s), configure your antimalware policies.
+
+- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
+
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+
+> [!TIP]
+> You can deploy the policies before your organization's devices on onboarded.
+
+## Next step
+
+**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
index e25b6e042f..71915fe457 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@@ -27,8 +27,6 @@ ms.topic: conceptual
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
>
-> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Android onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
-
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
> [!CAUTION]
@@ -86,8 +84,7 @@ For more information, see [Deploy Microsoft Defender ATP for Android with Micros
> [!NOTE]
-> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
-> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
+> **Microsoft Defender ATP for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.**
You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes.
## How to Configure Microsoft Defender ATP for Android
diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
new file mode 100644
index 0000000000..86914d9a44
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
@@ -0,0 +1,43 @@
+---
+title: Make the switch to Microsoft Defender ATP
+description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender ATP
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/08/2020
+ms.prod: w10
+ms.localizationpriority: medium
+ms.collection:
+- M365-security-compliance
+ms.custom: migrationguides
+ms.reviewer: chriggs, depicker, yongrhee
+f1.keywords: NOCSH
+---
+
+# Make the switch to Microsoft Defender ATP and Microsoft Defender Antivirus
+
+## Migration guides
+
+If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Defender Antivirus, check out our migration guidance.
+
+- [McAfee Endpoint Security (McAfee) to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md)
+
+- [Symantec Endpoint Protection (Symantec) to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md)
+
+- [Manage Microsoft Defender Advanced Threat Protection, after you've migrated](manage-atp-post-migration.md)
+
+
+## Got feedback?
+
+Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance.
+
+## See also
+
+- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection)
+
+- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
+
+- [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index ca0ae8b595..22a6d8de5e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -54,8 +54,8 @@ For more information about onboarding methods, see the following articles:
## Azure virtual machines
- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway)
- - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
- - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
+ - Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub:
+ - [Azure Log Analytics Gateway](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
- Offline Azure VMs in the same network of OMS Gateway
- Configure Azure Log Analytics IP as a proxy
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
deleted file mode 100644
index dd83d08373..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ /dev/null
@@ -1,213 +0,0 @@
----
-title: Create and build Power BI reports using Microsoft Defender ATP data connectors
-description: Get security insights by creating and building Power BI dashboards using data from Microsoft Defender ATP and other data sources.
-keywords: settings, power bi, power bi service, power bi desktop, reports, dashboards, connectors, security insights, mashup
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.author: macapara
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-
-# Create and build Power BI reports using Microsoft Defender ATP data connectors (Deprecated)
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->[!WARNING]
->This connector is being deprecated, learn how to [Create Power-BI reports using Microsoft Defender ATP APIs](api-power-bi.md).
-
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
-
-Understand the security status of your organization, including the status of devices, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI.
-
-Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access Microsoft Defender ATP data using Microsoft Graph.
-
-Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization.
-
-You can easily get started by:
-- Creating a dashboard on the Power BI service
-- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
-
-You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI Desktop are supported.
-
-## Create a Microsoft Defender ATP dashboard on Power BI service
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
-
-1. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
-
-2. Click **Create dashboard**.
-
- 
-
- You'll see a notification that things are being loaded.
-
- 
-
- >[!NOTE]
- >Loading your data in the Power BI service can take a few minutes.
-
-3. Specify the following details:
- - **extensionDataSourceKind**: WDATPConnector
- - **extensionDataSourcePath**: WDATPConnector
- - **Authentication method**: OAuth2
-
- 
-
-4. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
-
- 
-
-5. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
-
- 
-
- >[!NOTE]
- >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
-
- When importing data is completed and the dataset is ready, you’ll the following notification:
-
- 
-
-6. Click **View dataset** to explore your data.
-
-
-For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
-
-## Create a Power BI dashboard from the Power BI portal
-
-1. Login to [Power BI](https://powerbi.microsoft.com/).
-
-2. Click **Get Data**.
-
-3. Select **Microsoft AppSource** > **My Organization** > **Get**.
-
- 
-
-4. In the AppSource window, select **Apps** and search for Microsoft Defender Advanced Threat Protection.
-
- 
-
-5. Click **Get it now**.
-
-6. Specify the following details:
- - **extensionDataSourceKind**: WDATPConnector
- - **extensionDataSourcePath**: WDATPConnector
- - **Authentication method**: OAuth2
-
- 
-
-7. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
-
- 
-
-8. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
-
- 
-
- >[!NOTE]
- >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
-
- When importing data is completed and the dataset is ready, you’ll the following notification:
-
- 
-
-9. Click **View dataset** to explore your data.
-
-
-## Build a custom Microsoft Defender ATP dashboard in Power BI Desktop
-You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
-
-### Before you begin
-1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
-
-2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
-
- 
-
-3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
-
- 
-
-4. Create a new directory `[Documents]\Power BI Desktop\Custom Connectors`.
-
-5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
-
-6. Open Power BI Desktop.
-
-7. Click **File** > **Options and settings** > **Custom data connectors**.
-
-8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
-
- > [!NOTE]
- > If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select *(Not Recommended) Allow any extension to load without warning* under **Power BI Desktop** > **File** > **Options and settings** > **Options** > **Security** > **Data Extensions**".
-
- >[!NOTE]
- >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
-
- 
-
-9. Restart Power BI Desktop.
-
-## Customize the Microsoft Defender ATP Power BI dashboard
-After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
-
-1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
-
-2. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
-
- 
-
-3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
-
-
-
-## Mashup Microsoft Defender ATP data with other data sources
-You can use Power BI Desktop to analyze data from Microsoft Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.
-
-1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
-
-2. Click **Connect**.
-
-3. On the Preview Connector windows, click **Continue**.
-
-4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
-
- 
-
-5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
-
-6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
-
-7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
-
-8. Add visuals and select fields from the available data sources.
-
-## Using the Power BI reports
-There are a couple of tabs on the report that's generated:
-
-- Device and alerts
-- Investigation results and action center
-- Secure Score
-
-In general, if you know of a specific threat name, CVE, or KB, you can identify devices with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether device-level mitigations are configured correctly on the devices and prioritize those that might need attention.
-
-
-## Related topic
-- [Create custom Power BI reports](api-power-bi.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
index 5aef332edd..eab6ea72ec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
@@ -37,5 +37,4 @@ Turn on the preview experience setting to be among the first to try upcoming fea
- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md)
- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md)
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md)
-- [Create and build Power BI reports](powerbi-reports.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 2586120da8..1963e74ca8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -70,8 +70,6 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
-- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
index 0caa79489b..a8a4322b55 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
@@ -26,7 +26,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
-The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
+The **Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
index 9e26a9fef5..119fa1005e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
@@ -1,6 +1,6 @@
---
title: Migrate from Symantec to Microsoft Defender ATP
-description: Make the switch from Symantec to Microsoft Defender ATP
+description: Get an overview of how to make the switch from Symantec to Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +17,10 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
- m365solution-overview
-ms.topic: article
+ms.topic: conceptual
+ms.date: 09/04/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec to Microsoft Defender Advanced Threat Protection
@@ -40,7 +43,7 @@ In this migration guide, we focus on [next-generation protection](https://docs.m
| Feature/Capability | Description |
|---|---|
-| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
index 6c7c329a2e..ef82adfcff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@@ -1,6 +1,6 @@
---
title: Phase 3 - Onboard to Microsoft Defender ATP
-description: Make the switch from Symantec to Microsoft Defender ATP
+description: This is Phase 3, Onboarding, of making the switch from Symantec to Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,6 +17,9 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/04/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
index 2a678e94e4..e110562968 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
@@ -1,6 +1,6 @@
---
title: Phase 1 - Prepare for your migration to Microsoft Defender ATP
-description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration.
+description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender ATP.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,6 +17,9 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/04/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 1: Prepare for your migration
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index a3c0638d1e..2c6253d565 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -1,6 +1,6 @@
---
-title: Phase 2 - Set up Microsoft Defender ATP
-description: Phase 2 - Set up Microsoft Defender ATP
+title: Symantec to Microsoft Defender ATP - Phase 2, Setting Up
+description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,6 +17,9 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/04/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP
@@ -102,7 +105,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 24dcaab4dd..05cd741da3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -196,7 +196,6 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu
## Related topics
* [Protect devices from exploits](exploit-protection.md)
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Enable exploit protection](enable-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 11aa392b29..af31192f3b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -55,7 +55,7 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
-[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
+[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates).
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 4514bd1e98..14ddebf85f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -60,21 +60,22 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
- **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions
- **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
-- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags.
+- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files
-- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups.
+- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups
> [!NOTE]
> This setting is only available in the Microsoft Defender ATP administrator (default) role.
-- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab.
+- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab
- **Live response capabilities**
- **Basic** commands:
- Start a live response session
- Perform read only live response commands on remote device (excluding file copy and execution
- **Advanced** commands:
- - Download a file from the remote device
+ - Download a file from the remote device via live response
+ - Download PE and non-PE files from the file page
- Upload a file to the remote device
- View a script from the files library
- Execute a script on the remote device from the files library
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 1b01a9d308..242f47b39f 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -81,16 +81,13 @@ None. Changes to this policy become effective without a device restart when they
### Safe mode considerations
-When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. If the computer is joined to a domain, the disabled administrator account is not enabled.
-If the administrator account is disabled, you can still access the computer by using safe mode with the current administrative credentials. For example, if a failure occurs using a secure channel with a domain-joined computer, and there is no other local administrator account, you must restart the device in safe mode to fix the failure.
+When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account is not enabled.
### How to access a disabled Administrator account
You can use the following methods to access a disabled Administrator account:
-- When there is only one local administrator account that is disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that computer.
-- When there are local administrator accounts in addition to the built-in account, start the computer in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that device. An alternate method is to sign in to Windows by using another local
-Administrator account that was created.
-- When multiple domain-joined servers have a disabled local Administrator account that can be accessed in safe mode, you can remotely run psexec by using the following command: **net user administrator /active: no**.
+- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
+- For domain-joined computers: remotely run the command **net user administrator /active: yes** by using psexec to enable the default local administrator account.
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index 98bcd11836..00e0451b37 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -61,7 +61,12 @@ This setting has these possible values:
This change makes this setting consistent with the functionality of the new **Privacy** setting.
To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
-- Blank.
+- **Domain and user names only**
+
+ For a domain logon only, the domain\username is displayed.
+ The **Privacy** setting is automatically on and grayed out.
+
+- **Blank**
Default setting.
This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
@@ -89,7 +94,7 @@ For all versions of Windows 10, only the user display name is shown by default.
If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
Users will not be able to show details.
-If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
+If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show additional details such as domain\username.
In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
Users will not be able to hide additional details.
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index fc4c0fde64..a8f8114e8a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -1,6 +1,7 @@
# [Application Control for Windows](windows-defender-application-control.md)
## [WDAC and AppLocker Overview](wdac-and-applocker-overview.md)
### [WDAC and AppLocker Feature Availability](feature-availability.md)
+### [Virtualization-based code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
## [WDAC design guide](windows-defender-application-control-design-guide.md)
@@ -41,7 +42,8 @@
## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
-### [Understanding Application Control events](event-id-explanations.md)
+### [Understanding Application Control event IDs](event-id-explanations.md)
+### [Understanding Application Control event tags](event-tag-explanations.md)
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
## [AppLocker](applocker\applocker-overview.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 6601f20830..444430a762 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -1,6 +1,6 @@
---
-title: Understanding Application Control events (Windows 10)
-description: Learn what different Windows Defender Application Control events signify.
+title: Understanding Application Control event IDs (Windows 10)
+description: Learn what different Windows Defender Application Control event IDs signify.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
@@ -21,8 +21,9 @@ ms.date: 3/17/2020
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
-1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
-2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+ - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+
+ - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
new file mode 100644
index 0000000000..455177e5c9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -0,0 +1,83 @@
+---
+title: Understanding Application Control event tags (Windows 10)
+description: Learn what different Windows Defender Application Control event tags signify.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 8/27/2020
+---
+
+# Understanding Application Control event tags
+
+Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags.
+
+## SignatureType
+
+Represents the type of signature which verified the image.
+
+| SignatureType Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Unsigned or verification has not been attempted |
+| 1 | Embedded signature |
+| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
+| 5 | Successfully verified using an EA that informs CI which catalog to try first |
+|6 | AppX / MSIX package catalog verified |
+| 7 | File was verified |
+
+## ValidatedSigningLevel
+
+Represents the signature level at which the code was verified.
+
+| ValidatedSigningLevel Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Signing level has not yet been checked |
+| 1 | File is unsigned |
+| 2 | Trusted by WDAC policy |
+| 3 | Developer signed code |
+| 4 | Authenticode signed |
+| 5 | Microsoft Store signed app PPL (Protected Process Light) |
+| 6 | Microsoft Store-signed |
+| 7 | Signed by an Antimalware vendor whose product is using AMPPL |
+| 8 | Microsoft signed |
+| 11 | Only used for signing of the .NET NGEN compiler |
+| 12 | Windows signed |
+| 14 | Windows Trusted Computing Base signed |
+
+## VerificationError
+
+Represents why verification failed, or if it succeeded.
+
+| VerificationError Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Successfully verified signature |
+| 2 | File contains shared writable sections |
+| 4 | Revoked signature |
+| 5 | Expired signature |
+| 7 | Invalid root certificate |
+| 8 | Signature was unable to be validated; generic error |
+| 9 | Signing time not trusted |
+| 12 | Not valid for a PPL (Protected Process Light) |
+| 13 | Not valid for a PP (Protected Process) |
+| 15 | Failed WHQL check |
+| 16 | Default policy signing level not met |
+| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
+| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI |
+| 19 | Binary is revoked by file hash |
+| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
+| 21 | Failed to pass WDAC policy |
+| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
+| 23 | Invalid image hash |
+| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 26 | Explicitly denied by WADC policy |
+| 28 | Resource page hash mismatch |
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 443397ada3..06d6ee7d8f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -24,38 +24,55 @@ ms.date: 04/09/2019
- Windows 10
- Windows Server 2016 and above
-Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
+Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
- addinprocess.exe
- addinprocess32.exe
- addinutil.exe
+- aspnet_compiler.exe
- bash.exe
-- bginfo.exe[1]
+- bginfo.exe1
- cdb.exe
- csi.exe
- dbghost.exe
- dbgsvc.exe
- dnx.exe
+- dotnet.exe
- fsi.exe
- fsiAnyCpu.exe
+- infdefaultinstall.exe
- kd.exe
-- ntkd.exe
+- kill.exe
- lxssmanager.dll
-- msbuild.exe[2]
+- lxrun.exe
+- Microsoft.Build.dll
+- Microsoft.Build.Framework.dll
+- Microsoft.Workflow.Compiler.exe
+- msbuild.exe2
+- msbuild.dll
- mshta.exe
+- ntkd.exe
- ntsd.exe
+- powershellcustomhost.exe
- rcsi.exe
+- runscripthelper.exe
+- texttransform.exe
+- visualuiaverifynative.exe
- system.management.automation.dll
+- wfc.exe
- windbg.exe
- wmic.exe
+- wsl.exe
+- wslconfig.exe
+- wslhost.exe
-[1]A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
+1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
-[2]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
-*Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
+* Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
@@ -121,44 +138,45 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
-
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
@@ -859,48 +877,51 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
+
-
-
-
-
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
index 9ee20747b7..8a7ad0700f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -24,20 +24,22 @@ ms.date: 03/16/2020
- Windows 10
- Windows Server 2016 and above
-After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
+After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanced Threat Protection (MDATP) Advanced Hunting feature.
## WDAC Events Overview
-WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
+WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
WDAC events are generated under two locations:
-1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
-2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+ - Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+
+ - Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
## In this section
| Topic | Description |
| - | - |
-| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. |
+| [Understanding Application Control event IDs](event-id-explanations.md) | This topic explains the meaning of different WDAC event IDs. |
+| [Understanding Application Control event tags](event-tag-explanations.md) | This topic explains the meaning of different WDAC event tags. |
| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. |
