deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #1085 from MicrosoftDocs/FromPrivateRepo

Browse Source 
From private repo
This commit is contained in:
huypub 2018-06-13 22:35:54 +00:00 committed by GitHub
commit 9451dd92ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 146 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
windows/deployment/update/device-health-get-started.md
View File

@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.date: 03/20/2018
ms.date: 06/12/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
@ -24,13 +24,16 @@ Steps are provided in sections that follow the recommended setup process:
## Add Device Health to Microsoft Operations Management Suite
## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics
Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe:
>[!NOTE]
>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace.
**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe:
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
[![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png)

8
windows/deployment/update/update-compliance-get-started.md
View File

@ -23,12 +23,16 @@ Steps are provided in sections that follow the recommended setup process:
## Add Update Compliance to Microsoft Operations Management Suite
## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
>[!NOTE]
>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.

15
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/20/2018
ms.date: 06/12/2018
ms.localizationpriority: high
---
@ -35,7 +35,7 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information.
## Add Upgrade Readiness to Operations Management Suite
## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics
Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
@ -44,11 +44,14 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen
If you are already using OMS, youll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
If you are not using OMS:
>[!NOTE]
>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace.
1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and select **New Customers >** to start the process.
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
If you are not using OMS or Azure Log Analytics:
1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, youll create a workspace and add the Upgrade Readiness solution to it.
2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organizations Azure administrator.
> If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.

15
windows/deployment/upgrade/upgrade-readiness-requirements.md
View File

@ -5,7 +5,7 @@ keywords: windows analytics, oms, operations management suite, prerequisites, re
ms.prod: w10
author: jaimeo
ms.author:
ms.date: 03/15/2018
ms.date: 06/12/2018
ms.localizationpriority: high
---
@ -21,7 +21,7 @@ To perform an in-place upgrade, user computers must be running the latest versio
The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
<!--With Windows 10, edition 1607, the compatibility update KB is installed automatically.-->
<!--With Windows 10, edition 1607, the compatibility update is installed automatically.-->
If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
@ -36,15 +36,16 @@ The latest cumulative updates must be installed on Windows 10 computers to make
While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC.
## Operations Management Suite
## Operations Management Suite or Azure Log Analytics
Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
If youre already using OMS, youll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solutions details page. Upgrade Readiness is now visible in your workspace.
If youre already using OMS or Azure Log Analytics, youll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solutions details page. Upgrade Readiness is now visible in your workspace. You can also
If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, youll create an OMS workspace and add the Upgrade Readiness solution to it.
If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, youll create a workspace and add the Upgrade Readiness solution to it.
Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
>[!IMPORTANT]
>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
## System Center Configuration Manager integration

1
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -18,6 +18,7 @@
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)

97
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10)
description: Automatically authorize applications that Microsofts ISG recognizes as having known good reputation.
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: mdsakibMSFT
ms.date: 03/01/2018
---
# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph
**Applies to:**
- Windows 10
- Windows Server 2016
Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system.
In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.
Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsofts ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software.
## How does the integration between WDAC and the Intelligent Security Graph work?
The ISG relies on Microsofts vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision.
After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.
The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot.
>[!NOTE]
>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines.
Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy).
## Configuring Intelligent Security Graph authorization for Windows Defender Application Control
Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps:
- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML
In order to enable trust for executables based on classifications in the ISG, the **Enabled: Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set.
```code
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
<Option>Enabled:Managed Installer</Option>
</Rule>
<Rule>
<Option>Enabled:Intelligent Security Graph Authorization</Option>
</Rule>
<Rule>
<Option>Enabled:Invalidate EAs on Reboot</Option>
</Rule>
</Rules>
```
### Enable the necessary services to allow WDAC to use the ISG correctly on the client
In order for the heuristics used by the ISG to function properly, a number of component in Windows need to be enabled. The easiest way to do this is to run the appidtel executable in c:\windows\system32.
```
appidtel start
```
For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required.
## Security considerations with using the Intelligent Security Graph
Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing.
Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the ISG option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The ISG option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize.
## Known limitations with using the Intelligent Security Graph
Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.
Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy.
The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases.

2
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: mdsakibMSFT
ms.date: 03/01/2018
ms.date: 06/13/2018
---
# Deploy Managed Installer for Windows Defender Application Control

6
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 03/06/2018
ms.date: 06/13/2018
---
# Windows Defender ATP data storage and privacy
@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac
## What data does Windows Defender ATP collect?
Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes.
Windows Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).
@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik
## Do I have the flexibility to select where to store my data?
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.

2
windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
View File

@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
You will need to set up your preferences for the Windows Defender ATP portal.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
> [!WARNING]
> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.

2
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -43,7 +43,7 @@ Windows Defender Advanced Threat Protection requires one of the following Micros
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the United Kingdom, Europe, or United States datacenter.
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
> [!NOTE]
> - You cannot change your data storage location after the first-time setup.

6
windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
View File

@ -63,9 +63,9 @@ If you encounter an error when trying to get a refresh token when using the thre
- For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
5. Add the following URL:
- For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
- For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
- For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
- For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
- For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
- For the United States: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
6. Click **Save**.

6
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 06/12/2018
ms.date: 06/13/2018
---
@ -174,7 +174,6 @@ This rule attempts to block Office files that contain macro code that is capable
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Use advanced protection against ransomware
@ -187,6 +186,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
>[!NOTE]
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
### Rule: Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.