deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into wdac-19H1

Browse Source
This commit is contained in:
Justin Hall
2019-05-14 18:08:35 -07:00
parent 7c68158598 101f4b7614
commit 9413bf545d
72 changed files with 1783 additions and 849 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -20,6 +20,7 @@ ms.date: 03/01/2019
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2019
## Enable Windows Defender Credential Guard
@ -134,8 +135,7 @@ DG_Readiness_Tool_v3.5.ps1 -Ready
```
> [!NOTE]
For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.
@ -157,13 +157,14 @@ To disable Windows Defender Credential Guard, you can use the following set of p
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
3. If you also wish to disable virtualization-based security delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
``` syntax
mountvol X: /s
@ -171,18 +172,20 @@ To disable Windows Defender Credential Guard, you can use the following set of p
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
bcdedit /set hypervisorlaunchtype off
mountvol X: /d
```
2. Restart the PC.
3. Accept the prompt to disable Windows Defender Credential Guard.
4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
5. Restart the PC.
6. Accept the prompt to disable Windows Defender Credential Guard.
7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
> [!NOTE]
> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.

28
windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
View File

@ -24,21 +24,21 @@ ms.date: 08/20/2018
## How many is adequate
How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controllers load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged.
How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged.
Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller.
Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario.
Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following.
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
![dc-chart1](images/plan/dc-chart1.png)
The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following.
The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
![dc-chart2](images/plan/dc-chart2.png)
The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients.
The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients?
![dc-chart3](images/plan/dc-chart3.png)
@ -63,7 +63,7 @@ The preceding was an example to show why it's unrealistic to have a "one-size-fi
## Determining total AS Request load
Each organization needs to have an baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this.
Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this.
Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust. Pick a time when authentication traffic is most significant--Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site. Collect KDC AS Requests performance counters for two hours:
* A half-hour before you expect initial authentication (sign-ins and unlocks) to be significant
@ -75,29 +75,29 @@ For example, if employees are scheduled to come into the office at 9:00am. Your
> [!NOTE]
> To capture all the authentication traffic. Ensure that all computers are powered down to get the most accurate authentication information (computers and services authenticate at first power up--you need to consider this authentication in your evaluation).
Aggregate the performance data of all domain controllers. Look for the maximum KDC AS Requests for each domain controller. Find the median time when the maximum number of requests occurred for the site, this should represent when the site is experience the highest amount of authentication.
Aggregate the performance data of all domain controllers. Look for the maximum KDC AS Requests for each domain controller. Find the median time when the maximum number of requests occurred for the site, this should represent when the site is experiencing the highest amount of authentication.
Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiple the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent.
Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiply the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent.
Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller is to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business.
Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business.
## Monitoring Authentication
Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment to where you can form a statement such as
Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment from which you can form a statement such as
```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
Increasing the number of number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication for which each domain controller is responsible decrease. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on.
Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on.
## Strategy
The simplest strategy you can employ is to upgrade one domain controller and monitor the single domain controller as you continue to phase in new Windows Hello for Business key-trust clients until it reaches a 70 or 80 percent threshold.
Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environments designated capacity, then upgrade another domain controller.
Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environment's designated capacity, you can upgrade another domain controller.
Repeat until your deployment for that site is complete. Now, monitor authentication across all your domain controllers like you did the very first time. Determine the distribution of authentication for each domain controller. Identify the percentage of distribution for which it is responsible. If a single domain controller is responsible for 70 percent of more of the authentication, you may want to consider adding a domain controller to reduce the distribution of authentication volume.
However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application.
However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically-configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application.

8
windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
View File

@ -23,7 +23,7 @@ ms.date: 08/19/2018
- Certificate trust
On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.
On-premises deployments must use an on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It can be an Azure Multi-Factor Authentication Server or a third-party MFA solution.
>[!TIP]
>Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
@ -80,7 +80,7 @@ The following services are required:
Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
#### Configure the IIS Servers Certificate
#### Configure the IIS Server Certificate
The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
@ -171,9 +171,9 @@ To do this, please follow the instructions mentioned in the previous [Install th
Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
#### Configure the IIS Servers Certificate
#### Set the IIS Server Certificate
To do this, please follow the instructions mentioned in the previous [Configure the IIS Servers Certificate](#configure-the-iis-servers-certificate) section.
To do this, please follow the instructions mentioned in the previous [Configure the IIS Servers Certificate](#configure-the-iis-server-certificate) section.
#### Create WebServices SDK user account

8
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
View File

@ -28,7 +28,7 @@ Windows Hello for Business involves configuring distributed technologies that ma
* [Active Directory](#active-directory)
* [Public Key Infrastructure](#public-key-infrastructure)
* [Azure Active Directory](#azure-active-directory)
* [Multi-factor Authentication Services](#multi-factor-authentication-services)
* [Multifactor Authentication Services](#multifactor-authentication-services)
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration.
@ -80,7 +80,7 @@ If you do have an existing public key infrastructure, please review [Certificati
### Section Review ###
> [!div class="checklist"]
> * Miniumum Windows Server 2012 Certificate Authority.
> * Minimum Windows Server 2012 Certificate Authority.
> * Enterprise Certificate Authority.
> * Functioning public key infrastructure.
@ -128,7 +128,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
> * Review the overview and uses of Azure Multifactor Authentication.
> * Review your Azure Active Directory subscription for Azure Multifactor Authentication.
> * Create an Azure Multifactor Authentication Provider, if necessary.
> * Configure Azure Multufactor Authentiation features and settings.
> * Configure Azure Multifactor Authentication features and settings.
> * Understand the different User States and their effect on Azure Multifactor Authentication.
> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary.
@ -141,7 +141,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. New Installation Baseline (*You are here*)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)

8
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -28,13 +28,13 @@ Your environment is federated and you are ready to configure device registration
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
Use this three phased approach for configuring device registration.
Use this three-phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization)
3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
> [!NOTE]
> Before proceeding, you should familiarize yourself with device regisration concepts such as:
> Before proceeding, you should familiarize yourself with device registration concepts such as:
> * Azure AD registered devices
> * Azure AD joined devices
> * Hybrid Azure AD joined devices
@ -100,7 +100,7 @@ Federation server proxies are computers that run AD FS software that have been c
Use the [Setting of a Federation Proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment.
### Deploy Azure AD Connect
Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771).
Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771).
When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
@ -514,7 +514,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Azure Device Registration (*You are here*)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)

6
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
View File

@ -37,10 +37,10 @@ This baseline provides detailed procedures to move your environment from an on-p
## Federated Baseline ##
The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
Regardless of the baseline you choose, youre next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
> [!div class="nextstepaction"]
> [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
> [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
<br><br>
@ -48,7 +48,7 @@ Regardless of the baseline you choose, youre next step is to familiarize your
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. Overview (*You are here*)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)

8
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -80,7 +80,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL.
### Section Review ###
@ -124,7 +124,7 @@ If your organization uses Azure MFA on a per-consumption model (no licenses), th
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
#### Azure MFA User States ####
After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
### Azure MFA via ADFS ###
Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section.
@ -135,7 +135,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
> * Review the overview and uses of Azure Multifactor Authentication.
> * Review your Azure Active Directory subscription for Azure Multifactor Authentication.
> * Create an Azure Multifactor Authentication Provider, if necessary.
> * Configure Azure Multifactor Authentiation features and settings.
> * Configure Azure Multifactor Authentication features and settings.
> * Understand the different User States and their effect on Azure Multifactor Authentication.
> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary.
@ -148,7 +148,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-key-trust.md)
2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. New Installation Baseline (*You are here*)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -38,7 +38,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/)
Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
<br><br>
@ -47,7 +47,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. Configure Azure Device Registration (*You are here*)

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
View File

@ -26,7 +26,7 @@ ms.date: 08/19/2018
You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
## Deploy Azure AD Connect
Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771).
Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771).
> [!NOTE]
@ -38,7 +38,7 @@ Next, you need to synchronizes the on-premises Active Directory with Azure Activ
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-key-trust.md)
2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. Configure Directory Synchronization (*You are here*)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -85,7 +85,7 @@ Organizations using older directory synchronization technology, such as DirSync
<br>
## Federation with Azure ##
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later.
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
### Section Review ###
> [!div class="checklist"]
@ -97,7 +97,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
## Multifactor Authentication ##
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
Hybrid Windows Hello for Business deployments can use Azures Multi-factor Authentication service or they can use multi-factor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multi-factor authentication into AD FS.
Hybrid Windows Hello for Business deployments can use Azures Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
### Section Review
> [!div class="checklist"]

6
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
View File

@ -34,10 +34,10 @@ The new deployment baseline helps organizations who are moving to Azure and Offi
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
Youre next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
> [!div class="nextstepaction"]
> [Prerequistes](hello-hybrid-key-trust-prereqs.md)
> [Prerequisites](hello-hybrid-key-trust-prereqs.md)
<br><br>
@ -45,7 +45,7 @@ Youre next step is to familiarize yourself with the prerequisites needed for
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. Overview (*You are here*)
2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

13
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -77,7 +77,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller.
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
#### Device registration
@ -101,7 +101,6 @@ Cloud only and hybrid deployments provide many choices for multi-factor authenti
> * Azure Active Directory Premium
> * Enterprise Mobility Suite
> * Enterprise Cloud Suite
>* A per-user and per-authentication consumption-based model that is billed monthly against Azure monetary commitment (Read [Multi-Factor Authentication Pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) for more information)
#### Directory synchronization
@ -136,7 +135,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
### Cloud
Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional.
Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional.
## Planning a Deployment
@ -150,13 +149,13 @@ Choose the deployment model based on the resources your users access. Use the f
If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet.
If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users' access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
>[!NOTE]
>If youre unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.
>```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
>* If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement
> * If the value begins with **azureADName:** write **Hybrid** in box **1a**on your planning worksheet.
> * If the value begins with **enterpriseDrsName:** write **On-Premises** in box **1a** on your planning worksheet.
@ -197,7 +196,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in
If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the users credential remain on the on-premises network.
If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the users credentials remain on the on-premises network.
### Multifactor Authentication
@ -274,7 +273,7 @@ Public key infrastructure prerequisites already exist in your planning worksheet
If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments do not use a public key infrastructure.
If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet.
If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section.
The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.

2
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -529,7 +529,7 @@ Disable-BitLocker -MountPoint E:,F:,G:
```
## See also
- [Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker overview](bitlocker-overview.md)

76
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -11,7 +11,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/29/2019
ms.date: 05/13/2019
---
# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
@ -21,7 +21,7 @@ ms.date: 04/29/2019
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device.
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.
## Differences between MDM and MAM for WIP
@ -98,7 +98,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**
![Add Store app](images\add-a-protected-store-app.png)
To add multiple Store apps, click the elipsis **…**.
To add multiple Store apps, click the ellipsis **…**.
If you don't know the Store app publisher or product name, you can find them by following these steps.
@ -187,7 +187,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
</tr>
</table>
To add another Desktop app, click the elipsis **…**. After youve entered the info into the fields, click **OK**.
To add another Desktop app, click the ellipsis **…**. After youve entered the info into the fields, click **OK**.
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
@ -403,7 +403,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
![Add protected domains](images/add-protected-domains.png)
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include policy that defines your enterprise network locations.
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
@ -562,56 +562,50 @@ After you create and deploy your WIP policy to your employees, Windows begins to
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
**To set your optional settings**
1. Choose to set any or all optional settings:
![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png)
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
![Advanced optional settings ](images/wip-azure-advanced-settings-optional.png)
**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **On.** Turns on the feature and provides the additional protection.
- **On.** Turns on the feature and provides the additional protection.
- **Off, or not configured.** Doesn't enable this feature.
- **Off, or not configured.** Doesn't enable this feature.
- **Revoke encryption keys on unenroll.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
**Revoke encryption keys on unenroll.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if youre migrating between Mobile Device Management (MDM) solutions.
- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if youre migrating between Mobile Device Management (MDM) solutions.
- **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
- **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection.
**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS templates license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp).
- **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic.
- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesnt actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy.
- **Off, or not configured.** Stops using Azure Rights Management encryption with WIP.
- **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.
- **On.** Starts Windows Search Indexer to index encrypted files.
- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files.
## Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
Optionally, if you dont want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. This template will be applied to the protected data that is copied to a removable drive.
>[!IMPORTANT]
>Curly braces -- {} -- are required around the RMS Template ID.
If you dont specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), its a regular EFS file using a default RMS template that all users can access.
- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
>Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.
- **On.** Starts Windows Search Indexer to index encrypted files.
- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files.
## Encrypted file extensions
You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.
![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png)
## Related topics

6
windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/30/2019
ms.date: 05/13/2019
---
# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@ -474,13 +474,13 @@ After you've decided where your protected apps can access enterprise data on you
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
- **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell).
- **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you dont specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
2. After you pick all of the settings you want to include, click **Summary**.

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

4
windows/security/threat-protection/intelligence/safety-scanner-download.md
View File

@ -22,6 +22,8 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)
> **NOTE** The security intelligence update version of the Microsoft Safety Scaner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
@ -49,4 +51,4 @@ For more information about the Safety Scanner, see the support article on [how t
- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)
- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)

120
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Installing Microsoft Defender ATP for Mac manually
description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Manual deployment
**Applies to:**
[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
5. From a command prompt, verify that you have the two files.
Extract the contents of the .zip files:
```bash
mavel-macmini:Downloads test$ ls -l
total 721152
-rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: WindowsDefenderATPOnboarding.py
```
## Application installation
To complete this process, you must have admin privileges on the machine.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
![App install screenshot](images/MDATP_28_AppInstall.png)
2. Select **Continue**, agree with the License terms, and enter the password when prompted.
![App install screenshot](images/MDATP_29_AppInstallLogin.png)
> [!IMPORTANT]
> You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
![App install screenshot](images/MDATP_30_SystemExtension.png)
3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png)
The installation will proceed.
> [!NOTE]
> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
## Client configuration
1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
The client machine is not associated with orgId. Note that the orgid is blank.
```bash
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid :
```
2. Install the configuration file on a client machine:
```bash
mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
3. Verify that the machine is now associated with orgId:
```bash
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
```
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
## Logging installation issues
See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Uninstallation
See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices.

170
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md Normal file
View File

@ -0,0 +1,170 @@
---
title: Installing Microsoft Defender ATP for Mac with Microsoft Intune
description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Intune-based deployment
**Applies to:**
[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos).
![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
6. From a command prompt, verify that you have the three files.
Extract the contents of the .zip files:
```bash
mavel-macmini:Downloads test$ ls -l
total 721688
-rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
mavel-macmini:Downloads test$
```
7. Make IntuneAppUtil an executable:
```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil```
8. Create the wdav.pkg.intunemac package from wdav.pkg:
```bash
mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
Microsoft Intune Application Utility for Mac OS X
Version: 1.0.0.0
Copyright 2018 Microsoft Corporation
Creating intunemac file for /Users/test/Downloads/wdav.pkg
Composing the intunemac file output
Output written to ./wdav.pkg.intunemac.
IntuneAppUtil successfully processed "wdav.pkg",
to deploy refer to the product documentation.
```
## Client Machine Setup
You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp).
1. You'll be asked to confirm device management.
![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png)
Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**:
![Management profile screenshot](images/MDATP_4_ManagementProfile.png)
2. Select the **Continue** button and complete the enrollment.
You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned.
3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine:
![Add Devices screenshot](images/MDATP_5_allDevices.png)
## Create System Configuration profiles
1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**.
3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
4. Select **OK**.
![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png)
5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat these steps with the second profile.
7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**.
After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade:
![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png)
## Publish application
1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value.
![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png)
6. Select **OK** and **Add**.
![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png)
7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**.
![Client apps screenshot](images/MDATP_10_ClientApps.png)
8. Change **Assignment type=Required**.
9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
![Intune assignments info screenshot](images/MDATP_11_Assignments.png)
10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade:
![Intune device status screenshot](images/MDATP_12_DeviceInstall.png)
## Verify client machine state
1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**.
![System Preferences screenshot](images/MDATP_13_SystemPreferences.png)
![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png)
2. Verify the three profiles listed there:
![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png)
3. The **Management Profile** should be the Intune system profile.
4. wdav-config and wdav-kext are system configuration profiles that we added in Intune.
5. You should also see the Microsoft Defender icon in the top-right corner:
![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
## Logging installation issues
See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Uninstallation
See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices.

205
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md Normal file
View File

@ -0,0 +1,205 @@
---
title: Installing Microsoft Defender ATP for Mac with JAMF
description: Describes how to install Microsoft Defender ATP for Mac, using JAMF.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# JAMF-based deployment
**Applies to:**
[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow.
## Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
5. From a command prompt, verify that you have the two files.
Extract the contents of the .zip files:
```bash
mavel-macmini:Downloads test$ ls -l
total 721160
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
mavel-macmini:Downloads test$
```
## Create JAMF Policies
You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines.
### Configuration Profile
The configuration profile contains one custom settings payload that includes:
- Microsoft Defender ATP for Mac onboarding information
- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run
1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File.
>[!NOTE]
> You must use exactly "com.microsoft.wdav.atp" as the Preference Domain.
![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png)
### Approved Kernel Extension
To approve the kernel extension:
1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**.
2. Use **UBF8T346G9** for Team Id.
![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png)
#### Configuration Profile's Scope
Configure the appropriate scope to specify the machines that will receive this configuration profile.
Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers.
![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png)
Save the **Configuration Profile**.
Use the **Logs** tab to monitor deployment status for each enrolled machine.
### Package
1. Create a package in **Settings > Computer Management > Packages**.
![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png)
2. Upload wdav.pkg to the Distribution Point.
3. In the **filename** field, enter the name of the package. For example, wdav.pkg.
### Policy
Your policy should contain a single package for Microsoft Defender.
![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png)
Configure the appropriate scope to specify the computers that will receive this policy.
After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine.
## Client machine setup
You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment.
> [!NOTE]
> After a computer is enrolled, it will show up in the Computers inventory (All Computers).
1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.
![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png)
![MDM screenshot](images/MDATP_22_MDMProfileApproved.png)
After some time, the machine's User Approved MDM status will change to Yes.
![MDM status screenshot](images/MDATP_23_MDMStatus.png)
You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
## Deployment
Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
### Status on server
You can monitor the deployment status in the Logs tab:
- **Pending** means that the deployment is scheduled but has not yet happened
- **Completed** means that the deployment succeeded and is no longer scheduled
![Status on server screenshot](images/MDATP_24_StatusOnServer.png)
### Status on client machine
After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile.
![Status on client screenshot](images/MDATP_25_StatusOnClient.png)
After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
You can monitor policy installation on a machine by following the JAMF's log file:
```bash
mavel-mojave:~ testuser$ tail -f /var/log/jamf.log
Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
```
You can also check the onboarding status:
```bash
mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
```
- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set.
- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed.
## Check onboarding status
You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
```bash
sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
```
This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
## Logging installation issues
See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Uninstallation
See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices.

157
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md Normal file
View File

@ -0,0 +1,157 @@
---
title: Microsoft Defender ATP for Mac Resources
description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Resources
**Applies to:**
[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Collecting diagnostic information
If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
1. Increase logging level:
```bash
mavel-mojave:~ testuser$ mdatp log-level --verbose
Creating connection to daemon
Connection established
Operation succeeded
```
2. Reproduce the problem
3. Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file.
```bash
mavel-mojave:~ testuser$ mdatp --diagnostic
Creating connection to daemon
Connection established
"/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
```
4. Restore logging level:
```bash
mavel-mojave:~ testuser$ mdatp log-level --info
Creating connection to daemon
Connection established
Operation succeeded
```
## Logging installation issues
If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
### Within the GUI
- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
### With a script
Create a script in **Settings > Computer Management > Scripts**.
![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png)
For example, this script removes Microsoft Defender ATP from the /Applications directory:
```bash
echo "Is WDAV installed?"
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
echo "Uninstalling WDAV..."
rm -rf '/Applications/Microsoft Defender ATP.app'
echo "Is WDAV still installed?"
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
echo "Done!"
```
### With a JAMF policy
If you are running JAMF, your policy should contain a single script:
![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png)
Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
## Configuring from the command line
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
|Group |Scenario |Command |
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` |
|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` |
|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` |
|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` |
|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`|
|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` |
|Health |Check the product's health |`mdatp --health` |
|Protection |Scan a path |`mdatp scan --path [path]` |
|Protection |Do a quick scan |`mdatp scan --quick` |
|Protection |Do a full scan |`mdatp scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` |
|Protection |Request a definition update |`mdatp --signature-update` |
## Microsoft Defender ATP portal information
In the Microsoft Defender ATP portal, you'll see two categories of information:
- AV alerts, including:
- Severity
- Scan type
- Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
- File information (name, path, size, and hash)
- Threat information (name, type, and state)
- Device information, including:
- Machine identifier
- Tenant identifier
- App version
- Hostname
- OS type
- OS version
- Computer model
- Processor architecture
- Whether the device is a virtual machine
## Known issues
- Not fully optimized for performance or disk space yet.
- Full Windows Defender ATP integration is not available yet.
- Mac devices that switch networks may appear multiple times in the APT portal.
- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device.

488
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -20,17 +20,41 @@ ms.topic: conceptual
# Microsoft Defender ATP for Mac
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change.
Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program.
This topic describes how to install and use Microsoft Defender ATP for Mac.
## Whats new in the public preview
We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include:
- Full accessibility
- Improved performance
- Localization for 37 languages
- Improved anti-tampering protections
- Feedback and samples can now be submitted via the GUI.
- Product health can be queried with JAMF or the command line.
- Admins can set their cloud preference for any location, not just for those in the US.
## Installing and configuring
There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
In general you'll need to take the following steps:
- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
### Prerequisites
## Prerequisites
You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine.
You should also have access to Windows Defender Security Center.
### System Requirements
- macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
- Disk space during preview: 1GB
@ -49,462 +73,14 @@ The following table lists the services and their associated URLs that your netwo
To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal:
```
```bash
mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report'
OK
```
We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines.
We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines.
SIP is a built-in macOS security feature that prevents low-level tampering with the OS.
## Installation and configuration overview
There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
In general you'll need to take the following steps:
- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
* [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
* [JAMF based deployment](#jamf-based-deployment)
* [Manual deployment](#manual-deployment)
## Resources
## Microsoft Intune based deployment
### Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos.
![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
6. From a command prompt, verify that you have the three files.
Extract the contents of the .zip files:
```
mavel-macmini:Downloads test$ ls -l
total 721688
-rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
mavel-macmini:Downloads test$
```
7. Make IntuneAppUtil an executable:
```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil```
8. Create the wdav.pkg.intunemac package from wdav.pkg:
```
mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
Microsoft Intune Application Utility for Mac OS X
Version: 1.0.0.0
Copyright 2018 Microsoft Corporation
Creating intunemac file for /Users/test/Downloads/wdav.pkg
Composing the intunemac file output
Output written to ./wdav.pkg.intunemac.
IntuneAppUtil successfully processed "wdav.pkg",
to deploy refer to the product documentation.
```
### Client Machine Setup
You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp).
1. You'll be asked to confirm device management.
![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png)
Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**:
![Management profile screenshot](images/MDATP_4_ManagementProfile.png)
2. Select the **Continue** button and complete the enrollment.
You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned.
3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine:
![Add Devices screenshot](images/MDATP_5_allDevices.png)
### Create System Configuration profiles
1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**.
3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
4. Select **OK**.
![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png)
5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
7. Repeat these steps with the second profile.
8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file.
9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**.
After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade:
![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png)
### Publish application
1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value.
![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png)
6. Select **OK** and **Add**.
![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png)
7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**.
![Client apps screenshot](images/MDATP_10_ClientApps.png)
8. Change **Assignment type=Required**.
9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
![Intune assignments info screenshot](images/MDATP_11_Assignments.png)
10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade:
![Intune device status screenshot](images/MDATP_12_DeviceInstall.png)
### Verify client machine state
1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**.
![System Preferences screenshot](images/MDATP_13_SystemPreferences.png)
![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png)
2. Verify the three profiles listed there:
![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png)
3. The **Management Profile** should be the Intune system profile.
4. wdav-config and wdav-kext are system configuration profiles that we added in Intune.
5. You should also see the Microsoft Defender icon in the top-right corner:
![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
## JAMF based deployment
### Prerequsites
You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow.
### Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
5. From a command prompt, verify that you have the two files.
Extract the contents of the .zip files:
```
mavel-macmini:Downloads test$ ls -l
total 721160
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
mavel-macmini:Downloads test$
```
### Create JAMF Policies
You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines.
#### Configuration Profile
The configuration profile contains one custom settings payload that includes:
- Microsoft Defender ATP for Mac onboarding information
- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run
1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File.
>[!NOTE]
> You must use exactly "com.microsoft.wdav.atp" as the Preference Domain.
![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png)
#### Approved Kernel Extension
To approve the kernel extension:
1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**.
2. Use **UBF8T346G9** for Team Id.
![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png)
#### Configuration Profile's Scope
Configure the appropriate scope to specify the machines that will receive this configuration profile.
Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers.
![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png)
Save the **Configuration Profile**.
Use the **Logs** tab to monitor deployment status for each enrolled machine.
#### Package
1. Create a package in **Settings > Computer Management > Packages**.
![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png)
2. Upload wdav.pkg to the Distribution Point.
3. In the **filename** field, enter the name of the package. For example, wdav.pkg.
#### Policy
Your policy should contain a single package for Microsoft Defender.
![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png)
Configure the appropriate scope to specify the computers that will receive this policy.
After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine.
### Client machine setup
You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment.
> [!NOTE]
> After a computer is enrolled, it will show up in the Computers inventory (All Computers).
1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.
![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png)
![MDM screenshot](images/MDATP_22_MDMProfileApproved.png)
After some time, the machine's User Approved MDM status will change to Yes.
![MDM status screenshot](images/MDATP_23_MDMStatus.png)
You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
### Deployment
Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
#### Status on server
You can monitor the deployment status in the Logs tab:
- **Pending** means that the deployment is scheduled but has not yet happened
- **Completed** means that the deployment succeeded and is no longer scheduled
![Status on server screenshot](images/MDATP_24_StatusOnServer.png)
#### Status on client machine
After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile.
![Status on client screenshot](images/MDATP_25_StatusOnClient.png)
After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
You can monitor policy installation on a machine by following the JAMF's log file:
```
mavel-mojave:~ testuser$ tail -f /var/log/jamf.log
Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
```
You can also check the onboarding status:
```
mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
```
- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set.
- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed.
### Uninstalling Microsoft Defender ATP for Mac
#### Uninstalling with a script
Create a script in **Settings > Computer Management > Scripts**.
![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png)
For example, this script removes Microsoft Defender ATP from the /Applications directory:
```
echo "Is WDAV installed?"
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
echo "Uninstalling WDAV..."
rm -rf '/Applications/Microsoft Defender ATP.app'
echo "Is WDAV still installed?"
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
echo "Done!"
```
#### Uninstalling with a policy
Your policy should contain a single script:
![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png)
Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
### Check onboarding status
You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
```
sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
```
This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
## Manual deployment
### Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
5. From a command prompt, verify that you have the two files.
Extract the contents of the .zip files:
```
mavel-macmini:Downloads test$ ls -l
total 721152
-rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: WindowsDefenderATPOnboarding.py
```
### Application installation
To complete this process, you must have admin privileges on the machine.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
![App install screenshot](images/MDATP_28_AppInstall.png)
2. Select **Continue**, agree with the License terms, and enter the password when prompted.
![App install screenshot](images/MDATP_29_AppInstallLogin.png)
> [!IMPORTANT]
> You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
![App install screenshot](images/MDATP_30_SystemExtension.png)
3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png)
The installation will proceed.
> [!NOTE]
> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
### Client configuration
1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
The client machine is not associated with orgId. Note that the orgid is blank.
```
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid :
```
2. Install the configuration file on a client machine:
```
mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
3. Verify that the machine is now associated with orgId:
```
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
```
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
## Uninstallation
### Removing Microsoft Defender ATP from Mac devices
To remove Microsoft Defender ATP from your macOS devices:
- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
Or, from a command line:
- ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
## Known issues
- Microsoft Defender ATP is not yet optimized for performance or disk space.
- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device).
- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only.
- Full Windows Defender ATP integration is not yet available
- Not localized yet
- There might be accessibility issues
## Collecting diagnostic information
If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
1) Increase logging level:
```
mavel-mojave:~ testuser$ mdatp log-level --verbose
Creating connection to daemon
Connection established
Operation succeeded
```
2) Reproduce the problem
3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file.
```
mavel-mojave:~ testuser$ mdatp --diagnostic
Creating connection to daemon
Connection established
"/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
```
4) Restore logging level:
```
mavel-mojave:~ testuser$ mdatp log-level --info
Creating connection to daemon
Connection established
Operation succeeded
```
### Installation issues
If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources.md) page.

52
windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md Normal file
View File

@ -0,0 +1,52 @@
---
title: Prevent security settings changes with Tamper Protection
description: Use tamper protection to prevent malicious apps from changing important security settings.
keywords: malware, defender, antivirus, tamper protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
---
# Prevent security settings changes with tamper protection
**Applies to:**
- Windows 10
Tamper protection helps prevent malicious apps from changing important security settings. These settings include:
- Real-time protection
- Cloud-delivered protection
- IOfficeAntivirus (IOAV)
- Behavior monitoring
- Removing security intelligence updates
With tamper protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings:
- Mobile device management (MDM) apps like Intune
- Enterprise configuration management apps like System Center Configuration Manager (SCCM)
- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures
- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup)
- Group Policy
- Other Windows Management Instrumentation (WMI) apps
The tamper protection setting doesn't affect how third party antivirus apps register with the Windows Security app.
On computers running Windows 10 Enterprise E5, users can't change the tamper protection setting.
Tamper protection is On by default. If you set tamper protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & threat protection**.
## Configure tamper protection
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Select **Virus & threat protection**, then select **Virus & threat protection settings**.
3. Set **Tamper Protection** to **On** or **Off**.
>[!NOTE]
>If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection settings from within Windows Security App.

2
windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
View File

@ -64,5 +64,5 @@ You can define the conditions for when entities are identified as malicious or s
## Related topics
- [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
- [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
- [Manage indicators](manage-indicators.md)
- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)

4
windows/security/threat-protection/windows-defender-atp/manage-indicators.md
View File

@ -38,7 +38,7 @@ On the top navigation you can:
- Apply filters
## Create an indicator
1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
- File hash
@ -62,7 +62,7 @@ On the top navigation you can:
## Manage indicators
1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the tab of the entity type you'd like to manage.

20
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/08/2019
ms.date: 05/13/2019
---
# Customize attack surface reduction rules
@ -31,20 +31,18 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running.
This could potentially allow unsafe files to run and infect your devices.
You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
>[!WARNING]
>Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
>
>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
>This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
Exclusions apply to all attack surface reduction rules.
Rule description | GUID
-|:-:|-
@ -76,9 +74,9 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folderss
### Use PowerShell to exclude files and folders
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell

13
windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/07/2019
ms.date: 05/13/2019
---
# Customize controlled folder access
@ -89,13 +89,14 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
>[!IMPORTANT]
>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
>By default, Windows adds apps that it considers friendly to the allowed listapps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
>You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders.
When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
### Use the Windows Defender Security app to allow specific apps
1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -106,7 +107,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
4. Click **Add an allowed app** and follow the prompts to add apps.
![Screenshot of the add an allowed app button](images/cfa-allow-app.png)
![Screenshot of how to add an allowed app button](images/cfa-allow-app.png)
### Use Group Policy to allow specific apps
@ -120,7 +121,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
### Use PowerShell to allow specific apps
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell

8
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/29/2019
ms.date: 05/13/2019
---
# Enable attack surface reduction rules
@ -26,7 +26,7 @@ Each ASR rule contains three settings:
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
You can enable attack surface reduction rules by using any of the these methods:
You can enable attack surface reduction rules by using any of these methods:
- [Microsoft Intune](#intune)
- [Mobile Device Management (MDM)](#mdm)
@ -51,7 +51,7 @@ You can exclude files and folders from being evaluated by most attack surface re
>- Block process creations originating from PSExec and WMI commands
>- Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@ -131,7 +131,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
>[!WARNING]
>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:

15
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/29/2019
ms.date: 05/13/2019
---
# Enable controlled folder access
@ -22,7 +22,7 @@ ms.date: 04/29/2019
[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019.
You can enable controlled folder access by using any of the these methods:
You can enable controlled folder access by using any of these methods:
- [Windows Security app](#windows-security-app)
- [Microsoft Intune](#intune)
@ -59,9 +59,12 @@ For more information about disabling local list merging, see [Prevent or allow u
![Create endpoint protection profile](images/create-endpoint-protection-profile.png)
1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
![Enable controlled folder access in Intune](images/enable-cfa-intune.png)
>[!NOTE]
>Wilcard is supported for applications, but not for folders. Subfolders are not protected.
>Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
@ -76,7 +79,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
1. Enter a name and a description, click **Controlled folder access**, and click **Next**.
1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
>[!NOTE]
>Wilcard is supported for applications, but not for folders. Subfolders are not protected.
>Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
1. Review the settings and click **Next** to create the policy.
1. After the policy is created, click **Close**.
@ -93,14 +96,14 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
- **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png)
![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## PowerShell
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/22/2019
ms.date: 05/09/2019
---
# Enable exploit protection
@ -26,7 +26,7 @@ Many features from the Enhanced Mitigation Experience Toolkit (EMET) are include
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of the these methods:
You can enable each mitigation separately by using any of these methods:
- [Windows Security app](#windows-security-app)
- [Microsoft Intune](#intune)

9
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/22/2019
ms.date: 05/13/2019
---
# Enable network protection
@ -22,7 +22,8 @@ ms.date: 04/22/2019
[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
You can enable network protection by using any of the these methods:
You can enable network protection by using any of these methods:
- [Microsoft Intune](#intune)
- [Mobile Device Management (MDM)](#mdm)
@ -87,7 +88,7 @@ You can confirm network protection is enabled on a local computer by using Regis
## PowerShell
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```
@ -100,7 +101,7 @@ You can enable the feature in audit mode using the following cmdlet:
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
## Related topics

6
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/02/2019
ms.date: 05/10/2019
---
# Evaluate network protection
@ -22,7 +22,7 @@ ms.date: 04/02/2019
[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
>[!TIP]
@ -34,7 +34,7 @@ You can enable network protection in audit mode to see which IP addresses and do
You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell