- Improving the Windows 10 update experience with control, quality and transparency - April 4, 2019 +
- Call to action: review your Windows Update for Business deferral values - April 3, 2019
- Windows 10, version 1809 designated for broad deployment - March 28, 2019
- Data, insights and listening to improve the customer experience - March 6, 2019
- Getting to know the Windows update history pages - February 21, 2019 diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 66befc0f13..0066e48950 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -106,7 +106,7 @@ The following resources provide additional information about using Windows Updat - regsvr32.exe wuwebv.dll 7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: ``` - netsh reset winsock + netsh winsock reset ``` 8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: ``` diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 9fb4c1f48f..94224b2a0c 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -25,7 +25,7 @@ By default, all users are migrated. The only way to specify which users to inclu - [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) ## To migrate all user accounts and user settings - +Links to detailed explanations of commands are available in the Related Topics section. 1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: @@ -49,7 +49,7 @@ By default, all users are migrated. The only way to specify which users to inclu ## To migrate two domain accounts (User1 and User2) - +Links to detailed explanations of commands are available in the Related Topics section. 1. Log on to the source computer as an administrator, and specify: @@ -62,7 +62,7 @@ By default, all users are migrated. The only way to specify which users to inclu `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` ## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain - +Links to detailed explanations of commands are available in the Related Topics section. 1. Log on to the source computer as an administrator, and type the following at the command-line prompt: diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json index acfa4df08b..bac00186ea 100644 --- a/windows/device-security/docfx.json +++ b/windows/device-security/docfx.json @@ -39,7 +39,8 @@ "ms.date": "04/05/2017", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-device-security" + "depot_name": "MSDN.win-device-security", + "folder_relative_path_in_docset": "./" } } }, @@ -47,4 +48,4 @@ "template": [], "dest": "win-device-security" } -} \ No newline at end of file +} diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index a44aea3b51..292438cfe3 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -44,7 +44,8 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.windows-hub" + "depot_name": "MSDN.windows-hub", + "folder_relative_path_in_docset": "./" } } }, @@ -53,4 +54,4 @@ "dest": "windows-hub", "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json index c69d3e3f49..e7c4c32d2a 100644 --- a/windows/keep-secure/docfx.json +++ b/windows/keep-secure/docfx.json @@ -32,7 +32,8 @@ "globalMetadata": { "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.keep-secure" + "depot_name": "MSDN.keep-secure", + "folder_relative_path_in_docset": "./" } } }, @@ -40,4 +41,4 @@ "template": [], "dest": "keep-secure" } -} \ No newline at end of file +} diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json index eee8740627..36d3bfc69c 100644 --- a/windows/manage/docfx.json +++ b/windows/manage/docfx.json @@ -32,7 +32,8 @@ "globalMetadata": { "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.windows-manage" + "depot_name": "MSDN.windows-manage", + "folder_relative_path_in_docset": "./" } } }, @@ -40,4 +41,4 @@ "template": [], "dest": "windows-manage" } -} \ No newline at end of file +} diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json index 4a303a21bc..1a52d12cc9 100644 --- a/windows/plan/docfx.json +++ b/windows/plan/docfx.json @@ -32,7 +32,8 @@ "globalMetadata": { "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.windows-plan" + "depot_name": "MSDN.windows-plan", + "folder_relative_path_in_docset": "./" } } }, @@ -40,4 +41,4 @@ "template": [], "dest": "windows-plan" } -} \ No newline at end of file +} diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index da571eeaf2..3d87b25a9b 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -155,14 +155,18 @@ The following table defines the endpoints for Connected User Experiences and Tel Windows release | Endpoint --- | --- -Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1Functional: v20.vortex-win.data.microsoft.com/collect/v1Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1settings-win.data.microsoft.com -Windows 10, version 1607 | v10.vortex-win.data.microsoft.comsettings-win.data.microsoft.com +Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| Diagnostics data: v10c.vortex-win.data.microsoft.comFunctional: v20.vortex-win.data.microsoft.comWindows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.comsettings-win.data.microsoft.com +Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | Diagnostics data: v10.events.data.microsoft.comFunctional: v20.vortex-win.data.microsoft.comWindows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.comsettings-win.data.microsoft.com +Windows 10, version 1709 or earlier | Diagnostics data: v10.vortex-win.data.microsoft.comFunctional: v20.vortex-win.data.microsoft.comWindows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.comsettings-win.data.microsoft.com +Windows 7 and Windows 8.1 | vortex-win.data.microsoft.com The following table defines the endpoints for other diagnostic data services: | Service | Endpoint | | - | - | | [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| | umwatsonc.events.data.microsoft.com | +| | kmwatsonc.events.data.microsoft.com | | | ceuswatcab01.blob.core.windows.net | | | ceuswatcab02.blob.core.windows.net | | | eaus2watcab01.blob.core.windows.net | @@ -170,7 +174,7 @@ The following table defines the endpoints for other diagnostic data services: | | weus2watcab01.blob.core.windows.net | | | weus2watcab02.blob.core.windows.net | | [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | +| OneDrive app for Windows 10 | vortex.data.microsoft.com | ### Data use and access @@ -356,9 +360,9 @@ You can turn on or turn off System Center diagnostic data gathering. The default The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. -### Configure the operating system diagnostic data level +## Configure the operating system diagnostic data level -You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. +You can configure your operating system diagnostic data settings using the management tools you’re already using, such as **Group Policy, MDM, or Windows Provisioning.** You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. Use the appropriate value in the table below when you configure the management policy. @@ -388,7 +392,7 @@ Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com ### Use Registry Editor to set the diagnostic data level -Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. +Use Registry Editor to manually set the registry level on the devices in your organization, or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, the policy will replace the manually set registry level. 1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 2f7c2c256d..ec17064fc8 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -21,17 +21,17 @@ ms.date: 01/17/2018 **Applies to** - Windows 10, version 1809 -- Windows 10, version 1803 +- Windows 10, version 1803 ## Introduction -The Diagnostic Data Viewer is a Windows app that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. +The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. ## Install and Use the Diagnostic Data Viewer -You must turn on data viewing and download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data. +You must download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data. ### Turn on data viewing -Before you can use this tool, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. +Before you can use this tool for viewing Windows diagnostic data, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. Note that this setting does not affect your Office data viewing or history. **To turn on data viewing** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. @@ -44,7 +44,7 @@ Before you can use this tool, you must turn on data viewing in the **Settings** Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. ### Start the Diagnostic Data Viewer -You must start this app from the **Settings** panel. +You can start this app from the **Settings** panel. **To start the Diagnostic Data Viewer** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. @@ -58,29 +58,25 @@ You must start this app from the **Settings** panel. 3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. >[!Important] - >Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. + >Turning on data viewing can use up to 1GB (by default) of disk space on your system drive. We strongly recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. ### Use the Diagnostic Data Viewer The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data. -- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. +- **View your Windows diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system. - + >[!Important] >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time. - -  + +  - **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. Selecting an event opens the detailed JSON view, with the matching text highlighted. -- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft. - - Selecting a check box lets you filter between the diagnostic event categories. - -  +- **Filter your diagnostic event categories.** The app's **Menu** button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft. Selecting a check box lets you filter between the diagnostic event categories. - **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others. @@ -93,8 +89,20 @@ The Diagnostic Data Viewer provides you with the following features to view and >[!Important] >All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments. +- **View a summary of the data you've shared with us over time.** Available for users on build 19H1+, 'About my data' in Diagnostic Data Viewer lets you see an overview of the Windows data you've shared with Microsoft. + + Through this feature, you can checkout how much data you send on average each day, the breakdown of your data by category, the top components and services that have sent data, and more. + + >[!Important] + >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. + +  + +## View Office Diagnostic Data +By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). + ## Turn off data viewing -When you're done reviewing your diagnostic data, you should turn of data viewing. +When you're done reviewing your diagnostic data, you should turn of data viewing. This will also remove your Windows data history. Note that this setting does not affect your Office data viewing or history. **To turn off data viewing** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. @@ -103,8 +111,24 @@ When you're done reviewing your diagnostic data, you should turn of data viewing  +## Modifying the size of your data history +By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. + + >[!Important] + >Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified. + +**Modify the size of your data history** + + To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached. + + >[!Important] + >Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. + +  + ## View additional diagnostic data in the View problem reports tool Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. + This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. @@ -112,7 +136,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel **To view your Windows Error Reporting diagnostic data using the Diagnostic Data Viewer** -Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. +Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.  @@ -123,3 +147,4 @@ Go to **Start** and search for _Problem Reports_. The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.  + diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 98296c6b76..9221109b4d 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -36,13 +36,19 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "feedback_system": "GitHub", + "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app" + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.privacy", + "folder_relative_path_in_docset": "./" + } + } }, "fileMetadata": {}, "template": [], "dest": "privacy", "markdownEngineName": "markdig" } -} \ No newline at end of file +} diff --git a/windows/privacy/images/ddv-analytics.png b/windows/privacy/images/ddv-analytics.png new file mode 100644 index 0000000000..499a541b00 Binary files /dev/null and b/windows/privacy/images/ddv-analytics.png differ diff --git a/windows/privacy/images/ddv-event-view.jpg b/windows/privacy/images/ddv-event-view.jpg new file mode 100644 index 0000000000..0a6c2ef113 Binary files /dev/null and b/windows/privacy/images/ddv-event-view.jpg differ diff --git a/windows/privacy/images/ddv-event-view.png b/windows/privacy/images/ddv-event-view.png deleted file mode 100644 index 264add2d9c..0000000000 Binary files a/windows/privacy/images/ddv-event-view.png and /dev/null differ diff --git a/windows/privacy/images/ddv-problem-reports.png b/windows/privacy/images/ddv-problem-reports.png index 49ae0fffc0..bd3dc7ba7d 100644 Binary files a/windows/privacy/images/ddv-problem-reports.png and b/windows/privacy/images/ddv-problem-reports.png differ diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index a3e6817d6a..3c4c5afdbb 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -405,52 +405,21 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper |----------------|----------|------------| | svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | -The following endpoints are used to download operating system patches and updates. +The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. | Source process | Protocol | Destination | |----------------|----------|------------| | svchost | HTTP | *.windowsupdate.com | -| | HTTP | fg.download.windowsupdate.com.c.footprint.net | - -The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | cds.d2s7q6s2.hwcdn.net | - -The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | *wac.phicdn.net | -| | | *wac.edgecastcdn.net | - -The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | - -The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | emdl.ws.microsoft.com | +| svchost | HTTP | *.dl.delivery.mp.microsoft.com | The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. | Source process | Protocol | Destination | |----------------|----------|------------| -| svchost | HTTPS | fe2.update.microsoft.com | -| svchost | | fe3.delivery.mp.microsoft.com | -| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | -| svchost | HTTPS | sls.update.microsoft.com | +| svchost | HTTPS | *.update.microsoft.com | +| svchost | HTTPS | *.delivery.mp.microsoft.com | The following endpoint is used for content regulation. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. @@ -459,14 +428,6 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper |----------------|----------|------------| | svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | -The following endpoints are used to download content. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | a122.dscd.akamai.net | -| | | a1621.g.akamai.net | - ## Microsoft forward link redirection service (FWLink) The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. @@ -490,4 +451,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 2b73716da2..dcf4d2be83 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -22,13 +22,13 @@ Applies to: - Windows 10, version 1803 - Windows 10, version 1709 -Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1803 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields). +Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1809 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields). In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. The data covered in this article is grouped into the following types: -- Common data (diagnostic header information) +- Common data extensions (diagnostic header information) - Device, Connectivity, and Configuration data - Product and Service Usage data - Product and Service Performance data @@ -36,15 +36,15 @@ The data covered in this article is grouped into the following types: - Browsing History data - Inking, Typing, and Speech Utterance data -## Common data +## Common data extensions Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017. -**Data Use for Common data** +**Data Use for Common data extensions** Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category. -### Data Description for Common data type +### Data Description for Common data extensions type -#### Common data type +#### Common data extensions type Information that is added to most diagnostic events, if relevant and available: @@ -506,6 +506,6 @@ Use of the specified data categories to promote a product or service in or on a Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference: -- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined. -- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined. -- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined. \ No newline at end of file +- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined. +- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined. +- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined. \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index 370860330f..b6be3b5acd 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -40,52 +40,52 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -|*.aria.microsoft.com* | HTTPS | Office Telemetry -|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. -|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates. -|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. -|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic -|*.Skype.com | HTTP/HTTPS | Skype related traffic -|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic -|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting. -|*cdn.onenote.net* | HTTP | OneNote related traffic -|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic -|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. -|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -|*maps.windows.com* | HTTPS | Related to Maps application. -|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. -|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry -|*photos.microsoft.com* | HTTPS | Photos App related traffic -|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. -|*wac.phicdn.net* | HTTP | Windows Update related traffic -|*windowsupdate.com* | HTTP | Windows Update related traffic -|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). -|*wpc.v0cdn.net* | | Windows Telemetry related traffic +|\*.aria.microsoft.com\* | HTTPS | Office Telemetry +|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. +|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. +|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|\*.Skype.com | HTTP/HTTPS | Skype related traffic +|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic +|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. +|\*cdn.onenote.net* | HTTP | OneNote related traffic +|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic +|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|\*maps.windows.com\* | HTTPS | Related to Maps application. +|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry +|\*photos.microsoft.com\* | HTTPS | Photos App related traffic +|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|\*wac.phicdn.net* | HTTP | Windows Update related traffic +|\*windowsupdate.com\* | HTTP | Windows Update related traffic +|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|\*wpc.v0cdn.net* | | Windows Telemetry related traffic |auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related |evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |fs.microsoft.com | | Font Streaming (in ENT traffic) -|g.live.com* | HTTPS | Used by OneDrive +|g.live.com\* | HTTPS | Used by OneDrive |iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry -|mscrl.micorosoft.com | | Certificate Revocation List related traffic. -|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|mscrl.microsoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |officeclient.microsoft.com | HTTPS | Office related traffic. |oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. -|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. -|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. |ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager -|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. -|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. -|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. -|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions. -|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. -|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation. +|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. |v10.events.data.microsoft.com | HTTPS | Diagnostic Data |wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. @@ -111,7 +111,7 @@ We used the following methodology to derive these network endpoints: | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | @@ -127,10 +127,10 @@ We used the following methodology to derive these network endpoints: | *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | | *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | | *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | | *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | | cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | | client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | | config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values. | @@ -151,7 +151,7 @@ We used the following methodology to derive these network endpoints: | maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | | ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | | sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | diff --git a/windows/release-information/TOC.yml b/windows/release-information/TOC.yml new file mode 100644 index 0000000000..b5ef71ac32 --- /dev/null +++ b/windows/release-information/TOC.yml @@ -0,0 +1,2 @@ +- name: Index + href: index.md \ No newline at end of file diff --git a/windows/release-information/breadcrumb/toc.yml b/windows/release-information/breadcrumb/toc.yml new file mode 100644 index 0000000000..61d8fca61e --- /dev/null +++ b/windows/release-information/breadcrumb/toc.yml @@ -0,0 +1,3 @@ +- name: Docs + tocHref: / + topicHref: / \ No newline at end of file diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json new file mode 100644 index 0000000000..6a0fb3e804 --- /dev/null +++ b/windows/release-information/docfx.json @@ -0,0 +1,47 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": { + "breadcrumb_path": "/release-information/breadcrumb/toc.json", + "extendBreadcrumb": true, + "feedback_system": "None" + }, + "fileMetadata": {}, + "template": [], + "dest": "release-information", + "markdownEngineName": "markdig" + } +} \ No newline at end of file diff --git a/windows/release-information/index.md b/windows/release-information/index.md new file mode 100644 index 0000000000..45697f0cda --- /dev/null +++ b/windows/release-information/index.md @@ -0,0 +1,3 @@ +# Welcome to release-information! + +test diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 018d611769..961279662e 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -38,12 +38,18 @@ "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "ms.author": "justinha" + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "ms.author": "justinha", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.security", + "folder_relative_path_in_docset": "./" + } + } }, "fileMetadata": {}, "template": [], "dest": "security", "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 0edce00395..626de0ca3e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -43,6 +43,14 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will To enforce processing of the group policy, you can run ```gpupdate /force```. +### Enable Windows Defender Credential Guard by using Intune + +1. From **Home** click **Microsoft Intune** +2. Click **Device configuration** +3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. + +> [!NOTE] +> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. ### Enable Windows Defender Credential Guard by using the registry diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 1f39421330..f1d2d6408b 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index bd94c85aeb..ebb6eed030 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index e4763d7e10..a7abd09380 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -8,8 +8,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 2f9757d9d9..6529e078f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md index e6b69e32b2..561df3ca7b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 1528aad8e3..1ace62af4d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -35,9 +35,9 @@ On-premises certificate-based deployments of Windows Hello for Business needs th ## Enable Windows Hello for Business Group Policy -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. +The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. ## Use certificate for on-premises authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 18164a1c75..d0801276dd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -81,4 +81,4 @@ Sign-in a domain controller or management workstation with domain administrator 2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index ac2f4ba332..db3e667888 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -51,4 +51,4 @@ Once you have validated all the requirements, please proceed to [Configure or De 2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) 4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 89d53fc368..58043d111b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 4aeeb5bb8b..4232360ba4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -30,4 +30,4 @@ Below, you can find all the information you will need to deploy Windows Hello fo 2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 36e3dad339..a6eba5d4f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 0d99dddd85..5d554eda28 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 4cbd7ca983..1dabe3c95d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index 280135c5b3..d33adb5e38 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 5a2a096de4..4c066287ac 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -6,8 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index 5bdfbc21f8..530d0923a7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -6,8 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index f07f4f199a..7eeaa651d5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -6,8 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md index e3304e2432..4ef877a48b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -45,4 +45,4 @@ Provision can occur automatically through the out-of-box-experience (OOBE) on Az Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is avaiable on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. -[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md) \ No newline at end of file +[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 936c4a59e4..d12e00c028 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -6,8 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -187,7 +187,7 @@ Joining a device is an extension to registering a device. This means, it provide [Return to Top](hello-how-it-works-technology.md) ## Key Trust -The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. +The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. ### Related topics [Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index d5904c2e0e..97783034ca 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -6,8 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -41,4 +41,4 @@ Windows Hello for Business is a distributed system that uses several components - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index d231dc9a9c..bf17a84426 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 5ea3bbbae9..b571ee817f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 2bfa7ac0bd..fbd5a696c5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 4b487da424..2e3ac6b145 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -145,4 +145,4 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation 3. New Installation Baseline (*You are here*) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index cfbf292815..bab9bcf458 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 6f443cff4f..ac6315a04d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -82,7 +82,7 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation ## -Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. +Windows Hello for Business hybrid certificate trust requires Active Directory being federated with Azure Active Directory and needs Windows Server 2016 Active Directory Federation Services or newer. Windows Hello for Business hybrid certificate trust doesn’t support Managed Azure Active Directory using Pass-through authentication or password hash sync. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index 317a2481b3..f8613819f5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -52,4 +52,4 @@ Regardless of the baseline you choose, you’re next step is to familiarize your 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 5350a7e35a..e295b98d48 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,4 +1,4 @@ ---- +--- title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business) description: Provisioning for Hybrid Windows Hello for Business Deployments keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -18,7 +18,7 @@ ms.date: 08/19/2018 # Hybrid Windows Hello for Business Provisioning **Applies to** -- Windows 10, version 1703 or later +- Windows10, version 1703 or later - Hybrid deployment - Certificate trust @@ -65,7 +65,7 @@ After a successful key registration, Windows creates a certificate request using The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current users certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center.
@@ -77,5 +77,5 @@ The certificate authority validates the certificate was signed by the registrati 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) -6. Sign-in and Provision(*You are here*) +6. Sign-in and Provision(*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 4f7dca8320..005677d027 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -78,4 +78,4 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. Configure Windows Hello for Business settings: Active Directory (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index fb95263ea4..5784150435 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 559462a9db..9333aeef18 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 56921a06b0..59da54619d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 0ffc39e4d5..621cb9ab0b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -201,4 +201,4 @@ Users must receive the Windows Hello for Business group policy settings and have 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. Configure Windows Hello for Business policy settings (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 49af90f1e4..3d78b7a719 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -48,4 +48,4 @@ For the most efficient deployment, configure these technologies in order beginni 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. Configure Windows Hello for Business settings (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 27ed68512f..d9874f88c3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index baf9a0401a..9a49d7ab15 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 3e829f4aa7..2c4dc3093c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -43,4 +43,4 @@ Next, you need to synchronizes the on-premises Active Directory with Azure Activ 4. Configure Directory Synchronization (*You are here*) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 1993139da7..f59a78c750 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 6759f1e112..303b6ce403 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -50,4 +50,4 @@ You’re next step is to familiarize yourself with the prerequisites needed for 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 47f83cea11..b4bdf83a77 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -1,4 +1,4 @@ ---- +--- title: Hybrid Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Provisioning for Hybrid Windows Hello for Business Deployments keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -18,7 +18,7 @@ ms.date: 08/20/2018 # Hybrid Windows Hello for Business Provisioning **Applies to** -- Windows 10, version 1703 or later +- Windows10, version 1703 or later - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index 1e1d1effdc..ce9f57fac1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 4ef86bfee8..3f6e263084 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 3382dcb530..080aa64f0a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 9f081c920a..92f7ec3365 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 448963dfbd..5aaee3a860 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 672ad0f33f..f537c8de17 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -50,7 +50,7 @@ The table shows the minimum requirements for each deployment. For key trust in a | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | -| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | +| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
andWindows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | @@ -67,7 +67,7 @@ The table shows the minimum requirements for each deployment. | Windows 10, version 1703 or later | Windows 10, version 1703 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema| | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | -| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | +| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | | AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter | diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 5cef71faf7..d85cdee4d5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md index 1d92e64857..b6a8469679 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index e8cd8acaa1..44acd1c65e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -130,4 +130,4 @@ Users must receive the Windows Hello for Business group policy settings and have 2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file +5. Configure Windows Hello for Business Policy settings (*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 4bd120cf26..50b9fe1ad7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin audience: ITPro author: mikestephens-MS -ms.author: mstephen +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -47,4 +47,4 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 11c3a1d90a..0ac3dd3359 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 8c28287378..f7184f34a3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 773be29f77..58614660a4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: conceptual diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 04dc168342..1700566e52 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 9f76cf67c8..8d50174792 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index cea13ff9d2..4eedd3d8c6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article @@ -47,4 +47,4 @@ If the user can sign-in with a password, they can reset their PIN by clicking th > [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI] -For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. \ No newline at end of file +For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 5f1296e64e..cb2349d9bd 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile audience: ITPro -author: mikestephens-MS -ms.author: mstephen +author: mapalko +ms.author: mapalko manager: dansimp ms.collection: M365-identity-device-management ms.topic: article diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index d4040d63f5..ccafee06af 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -89,7 +89,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r The Remote Desktop client device: -- Must be running at least Windows 10, version 1703 to be able to supply credentials. +- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine. - Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host. - Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. - Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk. @@ -176,4 +176,4 @@ mstsc.exe /remoteGuard - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own. -- The server and client must authenticate using Kerberos. \ No newline at end of file +- The server and client must authenticate using Kerberos. diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index f1d02e941e..0b3297ec31 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2019 +ms.date: 04/17/2019 --- # BitLocker Group Policy settings @@ -238,11 +238,11 @@ This policy setting is used to control which unlock options are available for op **Reference** -If you want to use BitLocker on a computer without a TPM, select the **Allow BitLocker without a compatible TPM** check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive. +If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. -On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use: +On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use: -- only the TPM for authentication +- only the TPM - insertion of a USB flash drive containing the startup key - the entry of a 4-digit to 20-digit personal identification number (PIN) - a combination of the PIN and the USB flash drive @@ -392,7 +392,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p | **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. | | **Introduced** | Windows 10, version 1703 | | **Drive type** | Operating system drives | -| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| | **Conflicts** | None | | **When enabled** | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. | | **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.| diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index e6b09cec2e..86ebe29111 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 04/17/2019 --- # Prepare your organization for BitLocker: Planning and policies @@ -163,9 +163,9 @@ Full drive encryption means that the entire drive will be encrypted, regardless ## Active Directory Domain Services considerations -BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting to enable backup of BitLocker recovery information: +BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information: -Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services +Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker protected drives can be recovered. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/). diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 9bd9bff264..7728af0c4f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,10 +11,10 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 +ms.date: 04/17/2019 --- -# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune +# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune **Applies to:** @@ -25,17 +25,19 @@ Microsoft Intune has an easy way to create and deploy a Windows Information Prot ## Differences between MDM and MAM for WIP +You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences: + - If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. - MAM supports only one user per device. -- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md) -- MAM has additional **Access** settings for Windows Hello for Business -- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device -- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) -- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. +- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md). +- MAM has additional **Access** settings for Windows Hello for Business. +- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device. +- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). +- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. ## Prerequisites -Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). +Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. ## Configure the MDM or MAM provider @@ -609,70 +611,6 @@ Optionally, if you don’t want everyone in your organization to be able to shar >[!NOTE] >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. -### Configure Windows Hello for Business for MAM -If you created a WIP policy for MAM, you can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices. - -**To turn on and configure Windows Hello for Business** - -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. - - The **Advanced settings** blade appears. - -2. Choose to turn on and configure the Windows Hello for Business settings: - -  - - - **Use Windows Hello for Business as a method for signing into Windows.** Turns on Windows Hello for Business. The options are: - - - **On.** Turns on Windows Hello For Business for anyone assigned to this policy. - - - **Off.** Turns off Windows Hello for Business. - - - **Set the minimum number of characters required for the PIN.** Enter a numerical value (4-127 characters) for how many characters must be used to create a valid PIN. Default is 4 characters. - - - **Configure the use of uppercase letters in the Windows Hello for Business PIN.** Lets you decide whether uppercase letters can be used in a valid PIN. The options are: - - - **Allow the use of uppercase letters in PIN.** Lets an employee use uppercase letters in a valid PIN. - - - **Require the use of at least one uppercase letter in PIN.** Requires an employee to use at least 1 uppercase letter in a valid PIN. - - - **Do not allow the use of uppercase letters in PIN.** Prevents an employee from using uppercase letters in a valid PIN. - - - **Configure the use of lowercase letters in the Windows Hello for Business PIN.** Lets you decide whether lowercase letters can be used in a valid PIN. The options are: - - - **Allow the use of lowercase letters in PIN.** Lets an employee use lowercase letters in a valid PIN. - - - **Require the use of at least one lowercase letter in PIN.** Requires an employee to use at least 1 lowercase letter in a valid PIN. - - - **Do not allow the use of lowercase letters in PIN.** Prevents an employee from using lowercase letters in a valid PIN. - - - **Configure the use of special characters in the Windows Hello for Business PIN.** Lets you decide whether special characters can be used in a valid PIN. The options are: - - - **Allow the use of special characters in PIN.** Lets an employee use special characters in a valid PIN. - - - **Require the use of at least one special character in PIN.** Requires an employee to use at least 1 special character in a valid PIN. - - - **Do not allow the use of special characters in PIN.** Prevents an employee from using special characters in a valid PIN. - - - **Specify the period of time (in days) that a PIN can be used before the system requires the user to change it.** Enter a numerical value (0-730 days) for how many days can pass before a PIN must be changed. If you enter a value of 0, the PIN never expires. - - - **Specify the number of past PINs that can be associated to a user account that can't be reused.** Enter a numerical value (0-50 days) for how many days can pass before an employee can reuse a previous PIN. If you enter a value of 0, a PINs can be reused immediately and past PINs aren't stored. - - >[!NOTE] - >PIN history is not preserved through a PIN reset. - - - **Number of authentication failures allowed before the device will be wiped.** Enter a numerical value for how many times the PIN can be incorrectly entered before wiping the device of corporate data. If you enter a value of 0, the device is never wiped, regardless of the number of incorrect PIN entries.
This setting has different behavior for mobile devices and desktops. - - - **On mobile devices.** When an employee reaches the value set here, the device is wiped of corporate data. - - - **On desktop devices.** When an employee reaches the value set here, the desktop is put into BitLocker recovery mode, instead of being wiped. You must have BitLocker installed on the device or this setting is ignored. - - - **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.** Enter a numerical value for how many days can pass before a PIN must be changed. If you enter a value of 0, the device never becomes PIN or password locked while idle. - - >[!NOTE] - >You can set this value to be anything; however, it can't be longer than the time specified by the **Settings** app. If you exceed the maximum timeout value, this setting is ignored. - - ## Related topics - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index 8b4b4b3ed0..cfcae5b9de 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 +ms.date: 04/15/2019 --- # How Windows Information Protection (WIP) protects a file that has a sensitivity label diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 6cea68fc1c..f3d8fb9489 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/10/2019 +ms.date: 04/05/2019 ms.localizationpriority: medium --- @@ -125,7 +125,7 @@ This table provides info about the most common problems you might encounter whil
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT | | 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | | 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index 74fd606119..a1cf9746d1 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -17,37 +17,48 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event is logged if the Windows Filtering Platform has blocked a bind to a local port. - -There is no example of this event in this document. +
***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-***Event Schema:***
+***Event Description:***
-*The Windows Filtering Platform has blocked a bind to a local port.*
+This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
-*Application Information:*
+-> *Process ID:%1* -> -> *Application Name:%2* +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application.
+
+- **Protocol** \[Type = UInt32\]: the protocol number being used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
+
+ 
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
diff --git a/windows/security/threat-protection/auditing/images/event-5159.png b/windows/security/threat-protection/auditing/images/event-5159.png
new file mode 100644
index 0000000000..a2f9134fe8
Binary files /dev/null and b/windows/security/threat-protection/auditing/images/event-5159.png differ
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
new file mode 100644
index 0000000000..bdbc4a1115
--- /dev/null
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@@ -0,0 +1,101 @@
+---
+title: Get support
+description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: sagaudre
+author: justinha
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 06/25/2018
+---
+
+# Get Support
+
+**What is the Microsoft Security Compliance Manager (SCM)?**
+
+The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
+
+More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
+
+**Where can I get an older version of a Windows baseline?**
+
+Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
+
+- [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
+- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
+- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
+
+**What file formats are supported by the new SCT?**
+
+The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported.
+
+**Does SCT support Desired State Configuration (DSC) file format?**
+
+Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
+
+**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
+
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+
+**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
+
+No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
+
++ +## Version Matrix + +**Client Versions** + +| Name | Build | Baseline Release Date | Security Tools | +|---|---|---|---| +|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/)
[1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/)
[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)
[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/)
[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017
August 2017
October 2016
January 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+
+
+**Server Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+
+
+**Microsoft Products**
+
+| Name | Details | Security Tools |
+|---|---|---|
+Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+
+
+
+> [!NOTE]
+> Browser baselines are built-in to new OS versions starting with Windows 10
+
+## See also
+
+[Windows security baselines](windows-security-baselines.md)
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 60aec9b458..0359a92351 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -14,9 +14,13 @@ ms.localizationpriority: medium
# Threat Protection
[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
+>[!Note]
+> The Windows Defender Security Center is currently going through rebranding. All references to Windows Defender will be replaced with Microsoft Defender. You will see the updates in the user interface and in the documentation library in next few months.
+
Windows Defender ATP
 Threat & Vulnerability Management |
 Attack surface reduction |
 Next generation protection |
 Endpoint detection and response |
@@ -25,15 +29,23 @@ ms.localizationpriority: medium
 Microsoft Threat Experts |
||||||||
| + |
|
|||||||||||
+ + +**[Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md)**
+This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. +- [Risk-based Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md) +- [What's in the dashboard and what it means for my organization](windows-defender-atp/tvm-dashboard-insights.md) +- [Configuration score](windows-defender-atp/configuration-score.md) +- [Scenarios](windows-defender-atp/threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md new file mode 100644 index 0000000000..fe229e350d --- /dev/null +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -0,0 +1,72 @@ +--- +title: Microsoft Security Compliance Toolkit 1.0 +description: This article describes how to use the Security Compliance Toolkit in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: sagaudre +author: justinha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/26/2018 +--- + +# Microsoft Security Compliance Toolkit 1.0 + +## What is the Security Compliance Toolkit (SCT)? + +The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products. + +The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy. + + +The Security Compliance Toolkit consists of: + +- Windows 10 security baselines + - Windows 10 Version 1809 (October 2018 Update) + - Windows 10 Version 1803 (April 2018 Update) + - Windows 10 Version 1709 (Fall Creators Update) + - Windows 10 Version 1703 (Creators Update) + - Windows 10 Version 1607 (Anniversary Update) + - Windows 10 Version 1511 (November Update) + - Windows 10 Version 1507 + +- Windows Server security baselines + - Windows Server 2019 + - Windows Server 2016 + - Windows Server 2012 R2 + +- Microsoft Office security baseline + - Office 2016 + +- Tools + - Policy Analyzer tool + - Local Group Policy Object (LGPO) tool + + +You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/). + +## What is the Policy Analyzer tool? + +The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include: +- Highlight when a set of Group Policies has redundant settings or internal inconsistencies +- Highlight the differences between versions or sets of Group Policies +- Compare GPOs against current local policy and local registry settings +- Export results to a Microsoft Excel spreadsheet + +Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. + +More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). + +## What is the Local Group Policy Object (LGPO) tool? + +LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. +Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. +LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. +It can export local policy to a GPO backup. +It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. + +Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index 14740a3224..2be015772f 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -24,7 +24,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy. +Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy. ### Possible values @@ -40,6 +40,8 @@ Set the time for elapsed user-input inactivity based on the device’s usage and Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options (While creating and linking group policy on server) + ### Default values The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index ea2b3fa6af..024554261c 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -14,7 +14,8 @@ ms.localizationpriority: medium # Use Windows Event Forwarding to help with intrusion detection **Applies to** -- Windows 10 +- Windows 10 +- Windows Server Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 78351fac00..492af0b7b7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -24,6 +24,9 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +> [!NOTE] +> Automatic exclusions apply only to Windows Server 2016 and above. + >[!TIP] >The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 15865ca9fa..fbe8f28763 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -56,14 +56,11 @@ SIP is a built-in macOS security feature that prevents low-level tampering with ## Installation and configuration overview There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: - - [Register macOS devices](#register-macos-devices) with Windows Defender ATP - - Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools: - - [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - - [JAMF based deployment](#jamf-based-deployment) - - [Manual deployment](#manual-deployment) - -## Deploy Microsoft Defender ATP for Mac -Use any of the supported methods to deploy Microsoft Defender ATP for Mac + - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal + - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) + * [JAMF based deployment](#jamf-based-deployment) + * [Manual deployment](#manual-deployment) ## Microsoft Intune based deployment @@ -293,7 +290,6 @@ After some time, the machine's User Approved MDM status will change to Yes. You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - ### Deployment Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. @@ -329,7 +325,7 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. You can also check the onboarding status: ``` -mavel-mojave:~ testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py +mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 @@ -351,13 +347,13 @@ For example, this script removes Microsoft Defender ATP from the /Applications d ``` echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender.app' +rm -rf '/Applications/Microsoft Defender ATP.app' echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null echo "Done!" ``` @@ -374,7 +370,7 @@ Configure the appropriate scope in the **Scope** tab to specify the machines tha You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: ``` -/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. @@ -435,7 +431,7 @@ The installation will proceed. The client machine is not associated with orgId. Note that the orgid is blank. ``` - mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : ``` @@ -449,7 +445,7 @@ The installation will proceed. 3. Verify that the machine is now associated with orgId: ``` - mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index c40cc607a5..758f313aac 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/10/2019 +ms.date: 10/16/2017 --- # AppLocker @@ -92,7 +92,7 @@ AppLocker is included with enterprise-level editions of Windows. You can author ### Using AppLocker on Server Core -AppLocker on Server Core installations is not supported. This applies to all versions of Windows Server. +AppLocker on Server Core installations is not supported. ### Virtualization considerations diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 69566aa89f..97d032f8b6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/11/2019 +ms.date: 09/21/2017 --- # Requirements to use AppLocker @@ -31,15 +31,14 @@ To use AppLocker, you need: - For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules. - Devices running a supported operating system to enforce the AppLocker rules that you create. ->[!NOTE] ->You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). +>**Note:** You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). ## Operating system requirements -The following table shows AppLocker features supported by different versions of Windows. +The following table show the on which operating systems AppLocker features are supported. | Version | Can be configured | Can be enforced | Available rules | Notes | -|---|---|---|---|---| +| - | - | - | - | - | | Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. | | Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| | | Windows 8.1 Pro| Yes| No| N/A|| @@ -56,7 +55,8 @@ The following table shows AppLocker features supported by different versions of | Windows 7 Enterprise| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| | Windows 7 Professional| Yes| No| Executable
Windows Installer
Script
DLL| No AppLocker rules are enforced.| -Previous versions of Windows can use Software Restriction Policies. + +AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems. ## See also - [Administer AppLocker](administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 154d463930..b1e10dc63f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -61,7 +61,7 @@ AppLocker uses path variables for well-known directories in Windows. Path variab | Windows directory or drive | AppLocker path variable | Windows environment variable | | - | - | - | | Windows | %WINDIR% | %SystemRoot% | -| System32 | %SYSTEM32%| %SystemDirectory%| +| System32 and sysWOW64 | %SYSTEM32%| %SystemDirectory%| | Windows installation directory | %OSDRIVE%|%SystemDrive%| | Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%| | Removable media (for example, CD or DVD) | %REMOVABLE%| | diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 8b6d1d2ef7..34fbe7530e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -60,6 +60,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Lee Christensen|@tifkin_| |Vladas Bulavas | Kaspersky Lab | |Lasse Trolle Borup | Langkjaer Cyber Defence | +|Jimmy Bayne | @bohops | +|Philip Tsukerman | @PhilipTsukerman |
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 5a14ef0a68..f55255cb4e 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -1,6 +1,12 @@ # [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) ## [Overview](overview.md) +### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md) +#### [Configuration score](configuration-score.md) +#### [Scenarios](threat-and-vuln-mgt-scenarios.md) + + ### [Attack surface reduction](overview-attack-surface-reduction.md) #### [Hardware-based isolation](overview-hardware-based-isolation.md) ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md) @@ -32,6 +38,7 @@ ##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) ##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md) + #### Machines list ##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) @@ -82,20 +89,16 @@ #### [Custom detections](overview-custom-detections.md) #####[Create custom detections rules](custom-detection-rules.md) - ### [Management and APIs](management-apis.md) #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP APIs](apis-intro.md) #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md) - ### [Microsoft Threat Protection](threat-protection-integration.md) #### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) #### [Information protection in Windows overview](information-protection-in-windows-overview.md) - - ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) @@ -224,6 +227,7 @@ ###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) ##### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) ##### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +##### [Onboard machines without Internet access](onboard-offline-machines.md) ##### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) ##### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md) ##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) @@ -335,6 +339,10 @@ ##### [Threat protection reports](threat-protection-reports-windows-defender-advanced-threat-protection.md) ##### [Machine health and compliance reports](machine-reports-windows-defender-advanced-threat-protection.md) + +#### Interoperability +##### [Partner applications](partner-applications.md) + #### Role-based access control ##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) ###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) @@ -343,7 +351,10 @@ #### [Configure managed security service provider (MSSP) support](configure-mssp-support-windows-defender-advanced-threat-protection.md) +<<<<<<< HEAD +======= +>>>>>>> master ### Configure Microsoft Threat Protection integration #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md) #### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) @@ -372,7 +383,7 @@ ####Rules ##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) ##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -##### [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +##### [Manage indicators](manage-indicators.md) ##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) ##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) @@ -381,7 +392,11 @@ ##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md) #### [Configure Windows Security app time zone settings](time-settings-windows-defender-advanced-threat-protection.md) +<<<<<<< HEAD +======= + +>>>>>>> master ## [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) ###Troubleshoot sensor state diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md index 5ab62122e6..ef694ec2c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -19,12 +19,9 @@ ms.topic: article # Add or Remove Machine Tags API **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] - -- Adds or remove tag to a specific machine. +This API adds or remove tag to a specific machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index fcfdf9dd3f..dff8fdeb1c 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -94,7 +94,7 @@ To receive contextual machine integration in Office 365 Threat Intelligence, you This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it. >[!NOTE] ->This feature will be available with an E5 license on machines running Windows 10 version 1809 or later. +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. ## Microsoft Cloud App Security diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index da5c717e31..da3a29ed3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -20,8 +20,6 @@ ms.topic: article **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] - Represents an alert entity in Windows Defender ATP. # Methods diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index 70fb7fe34a..426f70f81a 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -14,18 +14,16 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 + --- # Collect investigation package API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] Collect investigation package from a machine. -[!include[Machine actions note](machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configuration-score.md b/windows/security/threat-protection/windows-defender-atp/configuration-score.md new file mode 100644 index 0000000000..f9308eff7e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configuration-score.md @@ -0,0 +1,56 @@ +--- +title: Overview of Configuration score in Microsoft Defender Security Center +description: Expand your visibility into the overall security configuration posture of your organization +keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/11/2019 +--- +# Configuration score +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page. + +The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices. + +Your configuration score widget shows the collective security configuration state of your machines across the following categories: +- Application +- Operating system +- Network +- Accounts +- Security controls + +## How it works + +What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: +- Compare collected configurations to the collected benchmarks to discover misconfigured assets +- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration +- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) +- Collect and monitor changes of security control configuration state from all assets + +From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks. + +## Improve your configuration score +The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on: +- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls** +- **Remediation type** - **Configuration change** or **Software update** + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md new file mode 100644 index 0000000000..bb81e3d1db --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md @@ -0,0 +1,44 @@ +--- +title: Configure Threat & Vulnerability Management in Windows Defender ATP +description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations. +keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM +search.product: Windows 10 +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- +# Configure Threat & Vulnerability Management +**Applies to:** +- [Windows Defender Advanced Threat Protection Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation. + +### Before you begin +>[!IMPORTANT] +Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data. + +Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). + +>[!WARNING] +>Only Intune and SCCM enrolled devices are supported in this scenario. +>Use any of the following options to enroll devices in Intune: +>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) +>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) +>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md index 452fb1f068..f2b0ca2157 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: dolmont -author: DulceMV +author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -23,7 +23,7 @@ ms.date: 02/28/2019 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease�information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] ## Before you begin To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a valid Premier customer service and support account. However, Premier charges will not be incurred during the preview. diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index d20d381975..e6a5f47f96 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 + --- # Create alert from event API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 67780a3f78..8967eb0a92 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -36,12 +36,12 @@ Information collected includes file data (such as file names, sizes, and hashes) Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). -Microsoft uses this data to: +This data enables Windows Defender ATP to: - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected - Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. -Microsoft does not use your data for advertising or for any other purpose other than providing you the service. +Microsoft does not use your data for advertising. ## Data protection and encryption The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md index 6399e4f311..51f12e0109 100644 --- a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -21,10 +21,9 @@ ms.topic: article **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] >[!Note] -> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) +> Currently this API is only supported for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) - Deletes an Indicator entity by ID. diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md index 56c66b472e..abe92e9dfe 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md @@ -19,12 +19,11 @@ ms.date: 09/03/2018 # Use Windows Defender ATP APIs -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -[!include[Prerelease information](prerelease.md)] - This page describes how to create an application to get programmatic access to Windows Defender ATP on behalf of a user. diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md index 4d6b21364d..d26d9ddb56 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md @@ -19,11 +19,11 @@ ms.date: 09/03/2018 # Create an app to access Windows Defender ATP without a user -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -[!include[Prerelease information](prerelease.md)] This page describes how to create an application to get programmatic access to Windows Defender ATP without a user. diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md index 80c3f2dfdf..9256735a62 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md @@ -21,8 +21,6 @@ ms.date: 09/24/2018 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - Full scenario using multiple APIs from Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index 8892195292..3224af9ce2 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -14,18 +14,17 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/15/2018 --- # OData queries with Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] -- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) -- Not all properties are filterable. +If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) + +Not all properties are filterable. ### Properties that supports $filter: diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md index 0491fe98c9..fa296bb3af 100644 --- a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -20,7 +20,6 @@ ms.topic: article **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] Represent a file entity in Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md index 5e8d10dd1e..10f9c1f0dc 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -19,11 +19,8 @@ ms.date: 07/25/2018 # Find machine information by internal IP API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Find a machine by internal IP. diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index 687f9ab304..7fd4ec0b04 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -14,19 +14,16 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Find machines by internal IP API - **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] +Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp -- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp -- The given timestamp must be in the past 30 days. +The given timestamp must be in the past 30 days. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index f6ed806476..e6933232eb 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If the machine was offboarded it will still appear in machines list. After 7 day If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive. -Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +Do you expect a machine to be in ‘Active’ status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). ## Misconfigured machines Misconfigured machines can further be classified to: diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index 3cbd5cc31e..a7365f8291 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert information by ID API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves an alert by its ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index 5e0a0256ae..9048ee44e1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related domain information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] Retrieves all domains related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index a286bb19f9..7a06825e2d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related files information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves all files related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md index af24309c36..fcc6714b48 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related IP information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves all IPs related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 55b0895b5f..0b169ac577 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -14,17 +14,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related machine information API - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] - -- Retrieves machine that is related to a specific alert. +Retrieves machine that is related to a specific alert. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index a96ecfe588..484a4874d8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related user information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves the user associated to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 45820ed888..9a1faba1e2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,21 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # List alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] +Retrieves a collection of Alerts. +Supports [OData V4 queries](https://www.odata.org/documentation/). -- Retrieves a collection of Alerts. -- Supports [OData V4 queries](https://www.odata.org/documentation/). -- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". + +See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md index 4251da56b9..3149b5d23f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md @@ -10,10 +10,10 @@ ms.sitesec: library ms.pagetype: security ms.author: leonidzh author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance ms.topic: article ms.date: 10/07/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index 2a44ef58e4..d09e702dfd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,19 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get domain related alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] - - - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of alerts related to a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index c1136545a5..4355e3594a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get domain related machines API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of machines that have communicated to or from a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index f4f669e5a2..12d290b29d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get domain statistics API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves the prevalence for the given domain. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index 792f618d5f..cfa1df6eb2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get file information API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a file by identifier Sha1, Sha256, or MD5. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 46f6a80f2a..f75ad0ee2d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get file related alerts API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of alerts related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index cf9e003f26..33e5bfd6ea 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get file related machines API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Retrieves a collection of machines related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index 17f1f3525d..00bf2bf323 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -14,19 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get file statistics API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - - - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves the prevalence for the given file. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 08817b8e70..80c4fcf202 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get IP related alerts API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of alerts related to a given IP address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index e17c0a1457..02aa1f61ba 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get IP related machines API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of machines that communicated with or from a particular IP. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md index 3c2c965ffb..becbf40d3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -14,17 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get IP statistics API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves the prevalence for the given IP. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index 5a6a77b908..9710899e3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -14,18 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get machine by ID API **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - -- Retrieves a machine entity by ID. +Retrieves a machine entity by ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index eb0edbe3e4..a50a37d200 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get machine log on users API - -[!include[Prereleaseinformation](prerelease.md)] - **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) Retrieves a collection of logged on users. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index df392f1ef1..92fa67c016 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get machine related alerts API - -[!include[Prereleaseinformation](prerelease.md)] - **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) Retrieves a collection of alerts related to a given machine ID. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index 19a78ab6d8..ede9947280 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -14,18 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get machineAction API **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - -- Get action performed on a machine. +Get action performed on a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 4be4316a45..bd36b12c8a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -14,21 +14,21 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # List MachineActions API **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] +Gets collection of actions done on machines. -- Gets collection of actions done on machines. -- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). -- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). + +The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". + +See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 7e2ad2eaf1..449c19a1e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -17,16 +17,17 @@ ms.topic: article --- # List machines API - **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] + +This API can do the following actions: - Retrieves a collection of machines that have communicated with Windows Defender ATP cloud on the last 30 days. - Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) + +See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md index 0de146e30c..64448439c9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/07/2018 --- # Get Machines security states collection API diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index 32bc25c9bd..f2f944e0e0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get package SAS URI API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md). diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md index 6086863cb6..96a02d2c87 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-started.md +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -31,6 +31,9 @@ Learn about the minimum requirements and initial steps you need to take to get s The following capabilities are available across multiple products that make up the Windows Defender ATP platform. +**Threat & Vulnerability Management**
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience. + **Attack surface reduction**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md index 837155f677..d3469d7f53 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # List Indicators API @@ -22,9 +21,8 @@ ms.date: 12/08/2017 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] ->[!Note] +>[!NOTE] > Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md index 75c9bc7f08..54be0763a9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -20,7 +20,6 @@ ms.topic: article **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] Retrieve a User entity by key (user name). diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index 6044ca7009..e239d6ca71 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get user related alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of alerts related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index a3597ff7ac..b137144be5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get user related machines API - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of machines related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png new file mode 100644 index 0000000000..ebd390bd98 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png new file mode 100644 index 0000000000..b87ba02a90 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png new file mode 100644 index 0000000000..36c8c8b48f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png new file mode 100644 index 0000000000..d321e0ca67 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png new file mode 100644 index 0000000000..04643d5e8d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png new file mode 100644 index 0000000000..d535499b79 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png new file mode 100644 index 0000000000..f7e982c9c9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png new file mode 100644 index 0000000000..6e474ccfa6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png new file mode 100644 index 0000000000..eaaa01d3c0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png new file mode 100644 index 0000000000..49850a80e1 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png new file mode 100644 index 0000000000..2711f9560e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png new file mode 100644 index 0000000000..fb099b05f2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png new file mode 100644 index 0000000000..3dd9ada0c9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png new file mode 100644 index 0000000000..89bdbc6495 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png new file mode 100644 index 0000000000..1ae6f4320d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png new file mode 100644 index 0000000000..095eb7424c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png new file mode 100644 index 0000000000..d7e4a4dd08 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md index 475a844fa1..880f5e4d11 100644 --- a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md +++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Improve request performance diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md index 9eedb8b8f5..a8696ec1d9 100644 --- a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md @@ -21,8 +21,6 @@ ms.date: 12/05/2018 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. >[!TIP] diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md index 976dfff7e4..be963a981f 100644 --- a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/05/2018 --- # Information protection in Windows overview diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md index 026174d5f5..fbf715ebd3 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Was domain seen in org **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Answers whether a domain was seen in the organization. diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md index 8cfb010fc6..73631e76cb 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Was IP seen in org **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] Answers whether an IP was seen in the organization. diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index a09ded139b..66ef8c4c99 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Isolate machine API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Isolates a machine from accessing external network. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index 9dcb0b6f60..9560bb473f 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -16,11 +16,10 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: article --- + # Validate licensing provisioning and complete set up for Windows Defender ATP **Applies to:** - - - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md index 86bf166722..25140e78df 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md @@ -18,11 +18,8 @@ ms.topic: article --- # Machine health and compliance report in Windows Defender ATP - **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions. diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md index c4f16727e0..aa6b9b537e 100644 --- a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # MachineAction resource type - **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] - Method|Return Type |Description :---|:---|:--- [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index fe70b2cba7..9e41349720 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/03/2018 --- # Manage Windows Defender Advanced Threat Protection alerts diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index 84706f7a5a..e311c292ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Manage automation file uploads diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index 23133475a4..370187b6f0 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Manage automation folder exclusions diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/windows-defender-atp/manage-edr.md index b430f21281..38ce9039ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-edr.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/01/2018 --- # Manage endpoint detection and response capabilities diff --git a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md similarity index 98% rename from windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/manage-indicators.md index 150cd87e78..db76c00fda 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md @@ -1,5 +1,5 @@ --- -title: Manage allowed/blocked lists +title: Manage indicators description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities. keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Manage allowed/blocked lists +# Manage indicators **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index 1ec412b1f3..ec47236a66 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -15,14 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Manage suppression rules **Applies to:** - - - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md index c0408e9e5f..2fd2dd6083 100644 --- a/windows/security/threat-protection/windows-defender-atp/management-apis.md +++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Overview of management and APIs diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md index 52627d87be..41f0442d90 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -15,31 +15,26 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/19/2018 - --- -# Configure Microsoft Cloud App Security in Windows +# Configure Microsoft Cloud App Security in Windows Defender ATP **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease�information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. >[!NOTE] ->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. 3. Click **Save preferences**. - - - Once activated, Windows Defender ATP will immediately start forwarding discovery signals to Cloud App Security. ## View the data collected diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md index 6c2400b885..0edfd423b9 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md @@ -18,11 +18,11 @@ ms.topic: conceptual ms.date: 10/18/2018 --- -# Microsoft Cloud App Security in Windows overview +# Microsoft Cloud App Security in Windows Defender ATP overview **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease�information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security). diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md index 380af8ef33..45bd9d4c80 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: dolmont -author: DulceMV +author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -22,7 +22,7 @@ ms.date: 02/28/2019 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease�information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md index dfd40d8852..ee2aca23c7 100644 --- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/29/2018 --- # Managed security service provider support diff --git a/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md new file mode 100644 index 0000000000..40df258764 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -0,0 +1,67 @@ +--- +title: Next-generation Threat & Vulnerability Management +description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. +keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Threat & Vulnerability Management +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. + +It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. + +## Next-generation capabilities +Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. + +It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades. +>[!Note] +> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. + +It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. +- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities +- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager + +### Real-time discovery + +To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: +- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. +- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. +- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible. +- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations. + +### Intelligence-driven prioritization + +Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: +- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. +- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. +- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users. + +### Seamless remediation + +Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. +- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms. +- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. +- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. + +## Related topics +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index 50855b0351..b49c5af6ec 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -20,8 +20,6 @@ ms.topic: article **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] - Offboard machine from Windows Defender ATP. [!include[Machine actions note](machineactionsnote.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index 273bfed16c..dc2b133c7a 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/24/2018 --- # Offboard machines from the Windows Defender ATP service diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index a33cae087b..59fad5bda4 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/19/2018 --- # Onboard machines to the Windows Defender ATP service diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md new file mode 100644 index 0000000000..9d6532688d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md @@ -0,0 +1,53 @@ +--- +title: Onboard machines without Internet access to Windows Defender ATP +description: Onboard machines without Internet access so that they can send sensor data to the Windows Defender ATP sensor +keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Onboard machines without Internet access to Windows Defender ATP + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +To onboard machines without Internet access, you'll need to take the following general steps: + + +## On-premise machines + +- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: + - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID + +- Offline machines in the same network of Azure Log Analytics + - Configure MMA to point to: + - Azure Log Analytics IP as a proxy + - Microsoft Defender ATP workspace key & ID + +## Azure virtual machines +- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway) + + - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: + - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID + - Offline Azure VMs in the same network of OMS Gateway + - Configure Azure Log Analytics IP as a proxy + - Azure Log Analytics Workspace Key & ID + + - Azure Security Center (ASC) + - [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) + - [Threat Detection \> Allow Windows Defender ATP to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) + + For more information, see [Working with security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md index 8229b36fa7..33c43ec774 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Configure and manage Windows Defender ATP capabilities diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md index c2617a285e..e6ea3aed4c 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/21/2019 --- # Overview of attack surface reduction diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md index 13268d34ad..76fd2d9bd1 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/29/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md index 1fb9eea8e2..4599298025 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Overview of endpoint detection and response diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md index 8d95c6f102..3f92d168af 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/12/2018 --- # Overview of advanced hunting diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md index 33671e8778..bde1e7c9b6 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Overview of Secure score in Windows Defender Security Center diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index ce66638a3b..d2421506b2 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -1,7 +1,7 @@ --- title: Overview of Windows Defender ATP -description: -keywords: +description: Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform +keywords: atp, microsoft defender atp, defender, mdatp, threat protection, platform, threat, vulnerability, asr, attack, surface, reduction, next-gen, protection, edr, endpoint, detection, response, automated, air search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/20/2018 --- # Overview of Windows Defender ATP capabilities @@ -33,6 +32,7 @@ Understand the concepts behind the capabilities in Windows Defender ATP so you t Topic | Description :---|:--- +[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) | Reduce organizational vulnerability exposure and increase threat resilience while seamlessly connecting workflows across security stakeholders—security administrators, security operations, and IT administrators in remediating threats. [Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers. [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. diff --git a/windows/security/threat-protection/windows-defender-atp/partner-applications.md b/windows/security/threat-protection/windows-defender-atp/partner-applications.md new file mode 100644 index 0000000000..24ba042fc8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/partner-applications.md @@ -0,0 +1,64 @@ +--- +title: Partner applications in Microsoft Defender ATP +description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform +keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Partner applications in Microsoft Defender ATP +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. + + +The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats. + +Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. + +## SIEM integration +Microsoft Defender ATP supports SIEM integration through a variety of methods specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md). + +## Ticketing and IT service management +Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. + +## Security orchestration and automation response (SOAR) integration +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others. + +## External alert correlation and Automated investigation and remediation +Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. + +Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. + +External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert - with the real process and the full story of attack. + +## Indicators matching +You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs). + +Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when theres a match. + +Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators. + +## Support for non-Windows platforms +Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products sensor data giving you a unified experience. + + + + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 352394a662..d94a65a540 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/24/2018 --- # Windows Defender Advanced Threat Protection portal overview @@ -108,10 +107,12 @@ Icon | Description  | Automated investigation - running  | Automated investigation - remediated  | Automated investigation - partially remediated - + | Threat & Vulnerability Management - threat insights + | Threat & Vulnerability Management - possible active alert + | Threat & Vulnerability Management - recommendation insights ## Related topics - [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) - [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) - [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) -- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md index 1116788ea1..82d437d18a 100644 --- a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Submit or Update Indicator API @@ -22,7 +21,6 @@ ms.date: 12/08/2017 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] >[!Note] > Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index faa5965b72..c38db1be9d 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/26/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index 4a47170925..66420af797 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # PowerShell code examples for the custom threat intelligence API diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index 91b8900c14..c868f2a2d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Configure Windows Defender Security Center settings diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index 66f745bb56..469a59e63e 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Turn on the preview experience in Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index f4b63ae583..c64fd1617c 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Python code examples for the custom threat intelligence API diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index 8446e86a04..38f1c79ee9 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 05/08/2018 --- # Manage portal access using role-based access control diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index e5f643f908..544077f49b 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -253,19 +253,19 @@ If you encounter a problem when trying to submit a file, try each of the followi 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). 2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. 3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. -4. Verify the policy setting enables sample collection and try to submit the file again. +4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: - a. Change the following registry entry and values to change the policy on specific machines: - ``` -HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection - Value = 0 – block sample collection - Value = 1 – allow sample collection -``` + ``` + Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection + Name: AllowSampleCollection + Type: DWORD + Hexadecimal value : + Value = 0 – block sample collection + Value = 1 – allow sample collection + ``` 5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). -> [!NOTE] -> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. ## Related topic - [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 37e946eb11..9d051a1e7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/28/2018 --- # Take response actions on a machine diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index bc0073bf43..6e601dc0fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/12/2017 --- # Take response actions in Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index 5cf3e7bd28..671ec7d8fe 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Restrict app execution API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md index 5077e43d6c..9d9ea6c85d 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/03/2018 --- # Advanced hunting API -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - -[!include[Prerelease information](prerelease.md)] +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting). diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md index 90d62c40c1..dd2f1dc672 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/24/2018 --- # Schedule Advanced Hunting using Microsoft Flow diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md index 336ac77edb..83380bfe20 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -18,7 +18,7 @@ ms.topic: article # Create custom reports using Power BI (user authentication) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md index 547b531909..487b150df6 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md @@ -14,15 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/24/2018 --- # Advanced Hunting using PowerShell **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md). diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md index 07bb15a7cf..a80cd077b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md @@ -18,9 +18,7 @@ ms.topic: article # Advanced Hunting using Python **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md). diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 4a58f9eedf..95d084af2a 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Run antivirus scan API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Initiate Windows Defender Antivirus scan on a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index b5d51b9cf4..098f8b6720 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/07/2018 --- # Run a detection test on a newly onboarded Windows Defender ATP machine diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index d501a0d824..d3c9466607 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/26/2018 --- # Configure the security controls in Secure score diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index 1c071364b8..b152fd4194 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/04/2018 --- # Windows Defender Security Center Security operations dashboard diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index a0ace19060..6d64ca2629 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Check the Windows Defender Advanced Threat Protection service health diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md index 49687ff26c..b64296d1c8 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md @@ -14,17 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Stop and quarantine file API - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] -- Stop execution of a file on a machine and delete it. +Stop execution of a file on a machine and delete it. [!include[Machine actions note](machineactionsnote.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md index 14621034da..cdcdf40b44 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/01/2017 --- # Supported Windows Defender ATP query APIs diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md index 9a145edebb..4fe07149cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/29/2018 --- # Threat analytics diff --git a/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md new file mode 100644 index 0000000000..22ef58fb69 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -0,0 +1,107 @@ +--- +title: Threat & Vulnerability Management scenarios +description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats. +keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Threat & Vulnerability Management scenarios +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +## Before you begin +Ensure that your machines: +- Are onboarded to Microsoft Defender Advanced Threat Protection +- Running with Windows 10 1709 (Fall Creators Update) or later +- Have the following mandatory updates installed: +- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441) +- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464) +- Have at least one security recommendation that can be viewed in the machine page +- Are tagged or marked as co-managed + + +## Reduce your threat and vulnerability exposure +Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats. + +The exposure score is continuously calculated on each device in the organization and influenced by the following factors: +- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device +- External and internal threats such as public exploit code and security alerts +- Likelihood of the device getting breached given its current security posture +- Value of the device to the organization given its role and content + +The exposure score is broken down into the following levels: +- 0 to 29: low exposure score +- 30 to 69: medium exposure score +- 70 to 100: high exposure score + +You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. + +To lower down your threat and vulnerability exposure: + +1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page. + + >> + + >[!NOTE] + > There are two types of recommendations: + > - Security update which refers to recommendations that require a package installation + > - Configuration change which refers to recommendations that require a registry or GPO modification + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon. + +2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu.  + +3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities.  + +4. Click **Open machine page** to connect to the machine and apply the selected recommendation.  + +5. Allow a few hours for the changes to propagate in the system. + +6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease. + +## Improve your security configuration +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. + +Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger. + +1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls. + + >> + +2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**. +  + +3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. + + >>. + + >You will see a confirmation message that the remediation task has been created. + > + +4. Save your CSV file. +  + +5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system. + +6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be be listed there anymore, and your configuration score should increase. + + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md index 026ac5e02d..54a2033aa8 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/03/2018 --- # Microsoft Threat Protection diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index ae5f7b984d..f9dd490e81 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -17,10 +17,8 @@ ms.topic: article --- # Indicator resource type - -**Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Method|Return Type |Description :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index 0a8c046f35..ea1cc5d2b6 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/13/2018 --- # Windows Defender Security Center time zone settings diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index 500048787b..96753d16e3 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -15,18 +15,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 06/25/2018 --- # Troubleshoot custom threat intelligence issues **Applies to:** - - - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - You might need to troubleshoot issues while using the custom threat intelligence feature. This page provides detailed steps to troubleshoot issues you might encounter while using the feature. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 3f520e22f4..4541e327e6 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -15,14 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 08/01/2018 --- # Troubleshoot subscription and portal access issues **Applies to:** - - - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index a3097cd460..a859c2f21b 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 11/08/2018 --- # Troubleshoot SIEM tool integration issues diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md index fccd8ca55a..f0636c3363 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 09/03/2018 --- # Troubleshoot Windows Defender Advanced Threat Protection diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index ee883b6d7f..95c591fbec 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 07/30/2018 --- # Troubleshoot service issues diff --git a/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md new file mode 100644 index 0000000000..d66a7239fa --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md @@ -0,0 +1,76 @@ +--- +title: What's in the dashboard and what it means for my organization's security posture +description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience. +keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: eADQiWindows 10XVcnh +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- +# Threat & Vulnerability Management dashboard overview + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: +- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities +- Invaluable machine vulnerability context during incident investigations +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) + + >[!NOTE] + > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. + +You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: +- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines +- Correlate EDR insights with endpoint vulnerabilities and process them +- Select remediation options, triage and track the remediation tasks + +## Threat & Vulnerability Management in Microsoft Defender Security Center +When you open the portal, you’ll see the main areas of the capability: + +  + +  + +- (1) Menu in the navigation pane +- (2) Threat & Vulnerability Management icon +- (3) Threat & Vulnerability Management dashboard + +You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. + +Area | Description +:---|:--- +(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities. +(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**. +**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data. +**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options. +**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV. +**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details. +(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**. +**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. +**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details. +**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags. +**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list. +**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page. +**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities. +**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. + +See [Microsoft Defender ATP icons](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index 07203db964..bcfc51d9e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 + --- # Release machine from isolation API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Undo isolation of a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index d6bd15719c..24e1453c32 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Remove app restriction API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Enable execution of any application on the machine. diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 8c700cf5fd..4f1fe6545e 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Update alert **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] Update the properties of an alert entity. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/use-apis.md b/windows/security/threat-protection/windows-defender-atp/use-apis.md index 9104f53a2b..18e77632f4 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-apis.md +++ b/windows/security/threat-protection/windows-defender-atp/use-apis.md @@ -1,5 +1,5 @@ --- -title: Windows Defender ATP Public API +title: Windows Defender ATP APIs description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. keywords: apis, api, wdatp, open api, windows defender atp api, public api, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh @@ -14,12 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/28/2018 --- -# Windows Defender ATP Public API +# Windows Defender ATP APIs -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index a5bf6b10dc..be38700ccf 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Use the threat intelligence API to create custom alerts diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index 07291b3a48..268f112212 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/12/2018 --- # Overview of Windows Defender Security Center diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md index 12ad0a75b8..6bc2c21435 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md @@ -14,10 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # User resource type +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Method|Return Type |Description :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md index 5f6903dad8..10af5a5e7c 100644 --- a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2018 --- # View and organize the Windows Defender Advanced Threat Protection Incidents queue diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md index b73e7bc8b1..b8352cb7d6 100644 --- a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md @@ -19,13 +19,26 @@ ms.topic: conceptual # What's new in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server. +## April 2019 +The following capability is generally available (GA). + +- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. + + +### In preview +The following capabilities are included in the April 2019 preview release. + +- [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. + +- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. + ## March 2019 ### In preview -The following capability are included in the February 2019 preview release. +The following capability are included in the March 2019 preview release. - [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection)
The machine health and compliance report provides high-level information about the devices in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index 43bb2202f5..14c491a3cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -2,7 +2,7 @@ title: Windows Defender Advanced Threat Protection description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection -search.product: eADQiWindows 10XVcnh +search.product: Windows 10 search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy @@ -47,9 +47,8 @@ Windows Defender ATP uses the following combination of technology built into Win
Windows Defender ATP
|
-
- Attack surface reduction |
+ Threat & Vulnerability Management |
+Attack surface reduction |
 Next generation protection |
 Endpoint detection and response |
 Automated investigation and remediation |
@@ -57,23 +56,27 @@ Windows Defender ATP uses the following combination of technology built into Win
Microsoft Threat Experts |
||||||
| + |
|
|||||||||||
- - - >[!TIP] >- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). >- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + + +**[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**
+This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. + + + **[Attack surface reduction](overview-attack-surface-reduction.md)**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md index d85d398e43..3c620a48d0 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/01/2018 --- # Windows Defender Security Center diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index e16b905b59..5bfe2c6ba4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -63,22 +63,22 @@ Event ID | Description The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: -Rule name | GUID --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Rule name | GUID | File & folder exclusions +-|-|- +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported +Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported +Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported +Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index c49eae7912..bde9222c86 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -100,6 +100,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi >The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. >CFG will be enabled for *miles.exe*. +>[!NOTE] +>If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country. + ### Configure system-level mitigations with the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index c5d238cf59..73bc1915d3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -17,7 +17,7 @@ ms.author: v-anbic [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. ## Exclude files and folders from ASR rules diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 307b13fd20..93e5640492 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -53,8 +53,8 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev | Event ID | Description | |----------|-------------| |5007 | Event when settings are changed | -| 1121 | Event when an attack surface reduction rule fires in audit mode | -| 1122 | Event when an attack surface reduction rule fires in block mode | +| 1121 | Event when an attack surface reduction rule fires in block mode | +| 1122 | Event when an attack surface reduction rule fires in audit mode | ## Customize attack surface reduction rules diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 667c554a43..958cc3e6d8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -49,10 +49,11 @@ You can also use Group Policy, Intune, MDM, or System Center Configuration Manag The following controlled folder access events appear in Windows Event Viewer. -Event ID | Description -5007 | Event when settings are changed -1124 | Audited controlled folder access event -1123 | Blocked controlled folder access event +| Event ID | Description | +| --- | --- | +| 5007 | Event when settings are changed | +| 1124 | Audited controlled folder access event | +| 1123 | Blocked controlled folder access event | ## Customize protected folders and apps @@ -63,4 +64,4 @@ See [Protect important folders with controlled folder access](controlled-folders ## Related topics - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) - [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) -- [Use audit mode](audit-windows-defender-exploit-guard.md) \ No newline at end of file +- [Use audit mode](audit-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md new file mode 100644 index 0000000000..2766b15d05 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -0,0 +1,80 @@ +--- +title: Windows security baselines +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: sagaudre +author: justinha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 06/25/2018 +--- + +# Windows security baselines + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + +## Using security baselines in your organization + +Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. + +Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. + +We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. + +Here is a good blog about [Sticking with Well-Known and Proven Solutions](https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-proven-solutions/). + +## What are security baselines? + +Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. + +A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. + +## Why are security baselines needed? + +Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. + +For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting. + +In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups. + +## How can you use security baselines? + +You can use security baselines to: +- Ensure that user and device configuration settings are compliant with the baseline. +- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. + +## Where can I get the security baselines? + +You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. + +The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. + +[](security-compliance-toolkit-10.md) +[](get-support-for-security-baselines.md) + +## Community + +[](https://blogs.technet.microsoft.com/secguide/) + +## Related Videos + +You may also be interested in this msdn channel 9 video: +- [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO) + +## See Also + +- [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) +- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite) +- [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/) +- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/) +- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) +- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png new file mode 100644 index 0000000000..06f66acf99 Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png new file mode 100644 index 0000000000..75467f2098 Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png new file mode 100644 index 0000000000..4f869474e2 Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md deleted file mode 100644 index 42298233a6..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Blocking Remote Use of Local Accounts -description: Covers the issues and tradeoffs of enabling account lockout and how tightly to enforce it. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: aaronmar -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/15/2019 ---- - -# Blocking Remote Use of Local Accounts - -**Applies to** - - Windows 10 - - Windows Server - -The use of local accounts for remote access in Active Directory environments is problematic for a number of reasons. -By far, the biggest problem is that when an administrative local account has the same user name and password on multiple machines, an attacker with administrative rights on one machine can easily obtain the account’s password hash from the local Security Accounts Manager (SAM) database and use it to gain administrative rights over the other machines using “pass the hash” techniques. - -Our latest security guidance responds to these problems by taking advantage of new Windows features to block remote logons by local accounts. -Windows 8.1 and Windows Server 2012 R2 introduced two new security identifiers (SIDs), which are also defined on Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012 after installing [KB 2871997](http://support.microsoft.com/kb/2871997): - -- S-1-5-113: NT AUTHORITY\Local account -- S-1-5-114: NT AUTHORITY\Local account and member of Administrators group - -The former SID is added to the user’s access token at the time of logon if the user account being authenticated is a local account. -The latter SID is also added to the token if the local account is a member of the BUILTIN\Administrators group. -These SIDs can grant or deny access to all local accounts or all administrative local accounts – for example, in User Rights Assignments to “Deny access to this computer from the network” and “Deny log on through Remote Desktop Services”, as we recommend in our latest security guidance. -Prior to the definition of these SIDs, you would have had to explicitly name each local account to be restricted to achieve the same effect. - -In the initial release of the Windows 8.1 and Windows Server 2012 R2 guidance, we denied network and remote desktop logon to “Local account” (S-1-5-113) for all Windows client and server configurations, which blocks all remote access for all local accounts. - -We have since discovered that Failover Clustering relies on a non-administrative local account (CLIUSR) for cluster node management and that blocking its network logon access causes cluster services to fail. -Because the CLIUSR account is not a member of the Administrators group, replacing S-1-5-113 with S-1-5-114 in the “Deny access to this computer from the network” setting allows cluster services to work correctly while still providing protection against “pass the hash” types of attacks by denying network logon to administrative local accounts. - -While we could keep the guidance as it is and add a “special case” footnote for failover cluster scenarios, we will instead opt to simplify deployments and change the Windows Server 2012 R2 Member Server baseline as follows: - -Policy Path - - -Computer Configuration\Windows Settings\Local Policies\User Rights Assignment - - -Policy Name - - -Deny access to this computer from the network - - -Original Value - - -Guests, Local account (*) - - -New Value - - -Guests, Local account and member of Administrators group (*) - -The guidance also recommends adding Domain Admins and Enterprise Admins to these restrictions except on domain controllers and dedicated admin workstations. -DA and EA are domain-specific and can’t be specified in generic GPO baselines. - -Note that this change applies only to the Member Server baseline and that the restriction on remote desktop logon is not being changed. -Organizations can still choose to deny network access to “Local account” for non-clustered servers. - -Note also that the restrictions on local accounts are intended for Active Directory domain-joined systems. -Non-joined, workgroup Windows computers cannot authenticate domain accounts, so if you apply restrictions against remote use of local accounts on these systems, you will be able to log on only at the console. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/configuring-account-lockout.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/configuring-account-lockout.md deleted file mode 100644 index 3c6b559a54..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/configuring-account-lockout.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: Configuring Account Lockout -description: Covers the issues and tradeoffs of enabling account lockout and how tightly to enforce it. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: aaronmar -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/15/2019 ---- - -# Configuring Account Lockout - -**Applies to** - - Windows 10 - - Windows Server - - We can recommend an ideal configuration for most of the settings in our security guidance. - For example, the “Debug programs” privilege should be granted to Administrators and to no one else. - For account lockout, however, there is no “one size fits all” setting, but there’s a lot of heated discussion whenever anyone tries to pick one. - Ultimately, each organization must determine what best meets their own needs. - This blog post tries to help by discussing the issues and tradeoffs of enabling account lockout and how tightly to enforce it. - We had to pick _something_ for the baseline, so we discuss the settings we selected and why we changed them from what we had selected for other recent baselines. - Again, though, this is one where you should take a close look at the threats and tradeoffs for your own environment before applying the settings we picked. - -## The Basics of Account Lockout - -The purpose of account lockout is to make it harder for password-guessing attacks to succeed. -If account lockout is not configured, an attacker can automate an attempt to log on with different user accounts, trying common passwords as well as every possible combination of eight or fewer characters in a very short amount of time, until one finally works. -When account lockout is configured, Windows locks the account after a certain number of failed logon attempts, and blocks further logon attempts even if the correct password is supplied. - -Windows account lockout can be configured with these three settings: - -- _Account lockout threshold_: the number of failed logon attempts that trigger account lockout. If set to 0, account lockout is disabled and accounts are never locked out. -- _Account lockout duration_: the number of minutes that an account remains locked out before it’s automatically unlocked. If set to 0, the account remains locked out until an administrator explicitly unlocks it. -- _Reset account lockout counter after_: the number of minutes after a failed logon attempt before the bad-logon counter is reset to 0. The counter is also reset after a successful logon. - -## Account Lockout Tradeoffs - -While account lockout can help prevent intrusion, it can also expose your organization to accidental lockouts as well as to denial of service attacks. - -Not every bad logon attempt reflects an attempt to gain unauthorized access. -Users sometimes forget their passwords. -Also, applications, particularly those that use saved passwords, are often unaware of a password change and continue to use the old password, sometimes automatically retrying the same password many times in a short amount of time. -This becomes increasingly true as users have more devices such as phones and tablets that log on to get email or other corpnet access. -If the account lockout threshold is set too low, you are likely to see a lot of accidental lockouts. -In addition to users not being able to perform their work, lockouts can lead to expensive helpdesk calls, especially when administrator intervention is required to unlock the account. -Finding the root cause of accidental lockouts can be time-consuming as well. -It’s therefore good to set a threshold that avoids accidental lockouts, while not setting the threshold so high that attackers are given too much opportunity to succeed. -Setting the lockout duration to a “reasonable” non-zero value can also reduce helpdesk calls. -The combination of threshold, lockout duration and reset settings determines how many guesses attackers get per day; ideally you slow them down to the point that it becomes impractical or at least not worthwhile for them to pursue this type of attack. - -At the same time, whenever account lockout is configured at all it is easy for an attacker to conduct a denial of service attack and deliberately lock out accounts. -It doesn’t matter whether you set the threshold to 5 or 50 – an automated attack can perform that many deliberately failed logon attempts on a large number of accounts very quickly and lock them out. -If the lockout duration is short, an attacker can still maintain a sustained attack, locking out accounts as soon as they become unlocked. -If the lockout duration is indefinite (0), then this can be a crippling attack. - -## Reducing or Eliminating the Need for Account Lockout - -If you employ other mitigations against password-guessing attacks, you can afford to set a higher lockout threshold or even disable account lockout altogether. -Some of these mitigations are: - -- Proactively monitor for failed logon events and have a robust response mechanism in place when password-guessing is detected. -- Configure “Smart card required for interactive logon” (SCRIL), and do not manually set a password for the account after doing so. When SCRIL is configured, the account’s password hash is replaced with a random value, making a password logon effectively impossible. When SCRIL is configured, therefore, account lockout should be disabled to prevent denial of service. -- Require long passwords. The entire set of eight-character passwords can be tested in a short amount of time. Windows policies allow you to set a minimum length of 14 characters, which is the setting we recommend. You can set a minimum password length greater than 14 characters by using [fine-grained password polices](https://docs.microsoft.com/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-#fine_grained_pswd_policy_mgmt). Passwords can be up to 256 characters - -## Baseline Selections - -As we said at the outset, there is no single account lockout configuration that works for all organizations. -Our recommendation regarding account lockout is to consider the tradeoffs and pick what’s right for your situation. -However, our security guidance includes GPOs and security templates that you can apply directly, and it’s not possible to set the account lockout threshold in them to “do the right thing”. So we have to pick something. - -The settings in our baselines are intended for large audiences. -We recognize that many organizations will apply these settings without reading the fine print or considering the nuances and tradeoffs. -We have to try to find the right balance between security and “break everything” that will work reasonably well for most organizations. - -As of Oct 15, 2015, we have selected a threshold of 10 bad attempts, a 15 minute lockout duration, and counter reset after 15 minutes. -That threshold value is a change from the Windows 8.1/Windows Server 2012 R2 beta guidance as well as from past baselines. - -The threshold we published with the Windows 7/Windows Server 2008 R2 guidance was 50 bad attempts. -With the 15 minute duration and 15 minute counter reset, that gave attackers up to 200 guesses per hour. -For Windows 8/Windows Server 2012, we had changed it to 5, after much discussion with the external security community, including the Center for Internet Security (CIS), the US National Security Agency (NSA), the US Defense Information Systems Agency (DISA) and others. The thinking at that point was that a typical user is unlikely to mistype their password five times unless they really don’t remember it, in which case they’ll probably need to call the helpdesk anyway. -We have increased that threshold to 10 because our support engineers have seen many accidental lockouts, particularly with the increase in devices per user. -Increasing the threshold to 10 should reduce the number of accidental lockouts, while at the same time not giving attackers 200 guesses per hour again. - -## Account Lockout Technical Errata - -The public documentation may not be clear about these points, and they are worth knowing: - -An attempted logon using either of an account’s two most recent previous passwords will not succeed, but will not increment the bad-logon counter either. -In other words, repeated use of a saved password will trigger account lockout only after the third password change. - -Failed attempts to unlock a workstation can cause account lockout even if the “Interactive logon: Require Domain Controller authentication to unlock workstation” security option is disabled. -Windows doesn’t need to contact a DC for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a DC in case you had changed your password from another machine. -It’s actually easy to lock out an account on a locked workstation in seconds just by pressing Ctrl+Alt+Del and then holding down the Enter key. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md deleted file mode 100644 index a96127eea1..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Dropping the “Untrusted Font Blocking” setting -description: Windows 10 includes additional mitigations that make this setting less important, and it breaks several legitimate scenarios unnecessarily. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: aaronmar -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/15/2019 ---- - -# Dropping the “Untrusted Font Blocking” setting - -**Applies to** - - Windows 10 - - Windows Server - - - diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md deleted file mode 100644 index dac5c6d54c..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Sticking with Well-Known and Proven Solutions -description: Using proven enterprise management technologies instead of creating and maintaining your own will increase flexibility and reduce costs. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: aaronmar -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/15/2019 ---- - -# Sticking with Well-Known and Proven Solutions - -**Applies to** - - Windows 10 - - Windows Server - -I work with a lot of customers, and there are some problems I see over and over. -One problem that I've seen and been thinking about a lot lately is the way that a number of customers paint themselves into a corner through excessive customization of their environment. -Lately I've been making the case that they would be much better off by sticking with defaults or broadly known and well-tested configurations, and with proven enterprise solutions over home-grown tools. - -First, let me make it clear that these situations generally haven't arisen from anyone's bad decisions. -They were reasonable choices and possibly the best options available when the decisions were first made. -However, desktop and application deployment, enterprise management and security guidance have evolved and matured rapidly over the past several years. -We know a lot today that we didn't ten years ago. -If your organization (like many others) is planning to migrate to Windows 10, this is a perfect opportunity to revisit those decisions. -I liken it to moving to a new house after living in the old one for ten years. -You can pack all your old dusty, broken and ill-fitting possessions into boxes, ship them to the new house, then unpack the boxes and figure out where to fit all the clutter. -Or you can take advantage of the opportunity to get rid of detritus and enjoy the new place. - -What kinds of customizations am I talking about? -They include but are certainly not limited to home-grown software for deploying applications and monitoring desktop configuration, enforcing non-standard file and folder locations or renaming those folders, enabling unnecessary and low-value security options, reverse-engineering and then depending on or even modifying undocumented registry data, and modifying the permissions of operating system files, folders and registry keys. - -These customizations usually turn out to be expensive. -They limit flexibility, increase the cost and complexity of managing the environment, and cause strange unexpected behaviors including patch failures. -Have you had any of these issues in your environment? - -- Every piece of software to be deployed needs custom and time-consuming repackaging that is unique to your environment. -- Your custom management solutions don't work on Windows 10. -- The apps you purchase don't work the way they should without additional customization. -- Ramp-up time for new personnel takes longer than it should because they need to learn all the idiosyncrasies of your configuration. -- Bugs occur that wouldn't occur in a default or industry-standard configuration, and it takes a long time for techs to diagnose because they don't know about the quirks or realize their impact. -- You have home-grown tools or scripts that have an admin password embedded in them. (This is always a bad security risk. **Always.**) -- Your security experts don't think they're doing their job unless they put their own personal stamp on your security configuration, as if they get paid by the tweak. -- If the guy who manages your app deployment gets hit by a truck, you'll probably go out of business. -- The guy who owns the custom code insists that all commercial alternatives suck and won't work in your environment. (Perhaps you've had the sense that his ego and reality mutually agreed to separate a while ago.) - -Sometimes you need to write your own software, particularly for line-of-business (LOB) purposes. -But there is a vanishingly small need for any business to write or maintain its own desktop management or application deployment software. -Unlike proven enterprise solutions, home-grown software tends to take dependencies on platform-specific features such as hardcoded file paths or undocumented system behaviors and to use undocumented and unsupported interfaces and registry data, which makes it hard to move to a new platform or even a standard configuration of your existing platform. -They also tend not to meet the performance and scale characteristics or upgrade paths of proven products from a product group with robust testing and support organizations behind them. - -Consider the US Government Configuration Baseline (USGCB). -It includes a large set of security settings which is supposed to be mandated across the entire US Federal government. -If you apply them, you're applying the same settings that lots of other groups have tested and worked with. -Setting-specific issues will generally be well-known. -Now consider the problem that one of my customers ran into just the other day. -Along with a whole raft of other non-standard security settings, their security organization had applied the IE security option, "Do not save encrypted pages to disk," which prevents content that arrived over a secure HTTPS channel from being written to disk. -On the face of it, doesn't that sound like a good idea? -Sure! -Enable that policy! -After the new policies had been in production for a while, all of a sudden people panicked. -It was payday, and the paystub web site was showing a blank page where it was supposed to display the user's paystub as a PDF document. -Naturally, fixing this high-visibility issue was immediately assigned as the top priority to a group of tech experts who had to set aside other high priority tasks. -Now, there are USGCB settings that are known to interfere with Adobe Acrobat Reader integration with Internet Explorer, and this is where I focused my attention. -That turned out to be a dead end. -A colleague of mine eventually took to disabling bunches of settings at a time to try to narrow down the issue, until he finally traced it to "Do not save encrypted pages to disk." -Because this setting is not mandated or used by the FDCC, USGCB, or any Department of Defense configurations, the symptom and root cause was not one with which we were familiar, nor would it be one that I would expect most other people would think to focus on if they had not run into the problem themselves. -Oh and guess what? -It turns out that years ago this setting was specifically excluded from the earliest revisions of the US Air Force Standard Desktop Configuration (the ancestor of the FDCC) because of problems just like this. - -Bottom line: if you stick with the Windows defaults wherever possible or industry-standard configurations such as the Microsoft Windows security guidance or the USGCB, and use proven enterprise management technologies instead of creating and maintaining your own, you will increase flexibility, reduce costs, and be better able to focus on your organization's real mission. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md deleted file mode 100644 index ba67ceadae..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Why We’re Not Recommending "FIPS Mode" Anymore -description: This topic explains why Microsoft changed from recommending FIPS mode be enabled to Not Defined. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: aaronmar -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/15/2019 ---- - -# Why We’re Not Recommending “FIPS Mode” Anymore - -**Applies to** - - Windows 10 - - Windows Server - -In [the latest review of the official Microsoft security baselines](https://blogs.technet.microsoft.com/b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx) for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” -In our previous guidance we had recommended a setting of “Enabled”, primarily to align with US Federal government recommendations. -In our updated guidance, the recommendation is “Not Defined”, meaning that we leave the decision to customers. -Many people will correctly see this as a significant change, and it deserves explanation. - -The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data. -An implementation of an approved cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation. -A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithm. Note that the requirement to use approved and validated algorithms applies only to the protection of sensitive data. -Systems and applications are always free to use weak or non-validated cryptographic implementations for non-security purposes, such as in a hash table for indexing and lookup purposes. - -## What FIPS mode does -Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. -An example is Schannel, which is the system component that provides SSL and TLS to applications. -When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. -Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. -(Note that the same results can be achieved without FIPS mode by configuring Schannel according to [KB 245030](http://support.microsoft.com/kb/245030) and [this blog post](https://blogs.technet.microsoft.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx).) - -Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms. -(More on this [later](#why-fips-mode-is-particularly-onerous).) - -A more complete listing of the effects of enabling FIPS mode can be found in [KB 811833](https://blogs.technet.microsoft.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx). - -## What FIPS mode does not do -Beyond the effects described above, FIPS mode is merely advisory to applications. -Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled. -For example, a Win32 application−or third party disk encryption software−written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled. - -Further, FIPS mode does not and cannot ensure that applications even use encryption at all when appropriate. -There is nothing Windows can do to prevent an application from saving plaintext passwords or other sensitive data in unprotected files or registry values. -The bottom line here is that just because a software product works when FIPS mode is enabled does not mean that it adheres to government standards. - -## Why FIPS mode is particularly onerous -Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. -If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. -The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved. - -For example, the .NET Framework currently provides three implementations of the SHA256 hashing algorithm: SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed. -The first two use “platform invoke” (a.k.a., “p/invoke”) to use Windows’ underlying implementations, which are FIPS-validated. -By contrast, SHA256Managed, like all the other crypto classes ending with “Managed”, is implemented strictly in .NET managed code and doesn’t use the underlying platform implementations. -Although it is an acceptably strong hashing algorithm for most uses, the Managed implementations have never been submitted to NIST for validation. -And so if an application tries to use this class and FIPS mode is enabled, the Framework will raise an exception and not allow the class to be used; this exception will almost always cause the application to fail, if not terminate immediately. - -Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster. - -Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. Using the newer standard for password-based key derivation functions, this is no longer a problem beginning with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. - -Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards. - -## Is Microsoft contradicting government regulations? -Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. -Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off−our recommendation is that it’s each customer’s decision to make. -Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode. - -References: -- [FIPS 140 Evaluation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation) -- ["System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows](https://support.microsoft.com/help/811833/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashi) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md index 2160e044a3..e17ed61da6 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -31,7 +31,7 @@ They can’t justify the investment in that very high level of security with an As such, Microsoft is introducing a new taxonomy for security configurations for Windows 10. This new security configuration framework, which we call the SECCON framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations. - + - [Level 5 Enterprise Security](level-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days. - [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days. @@ -51,7 +51,7 @@ Level 5 should be considered the minimum baseline for an enterprise device, and The recommendations are grouped into three categories. - + ## Security control deployment methodologies @@ -59,6 +59,6 @@ The recommendations are grouped into three categories. The way Microsoft recommends implementing these controls depends on the auditability of the control–there are two primary methodologies. - + diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json index 055e983ab5..ca62dbde8c 100644 --- a/windows/threat-protection/docfx.json +++ b/windows/threat-protection/docfx.json @@ -39,7 +39,8 @@ "ms.date": "04/05/2017", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-threat-protection" + "depot_name": "MSDN.win-threat-protection", + "folder_relative_path_in_docset": "./" } } }, @@ -47,4 +48,4 @@ "template": [], "dest": "win-threat-protection" } -} \ No newline at end of file +} diff --git a/windows/update/docfx.json b/windows/update/docfx.json index e95b5a9ccc..0e654307a9 100644 --- a/windows/update/docfx.json +++ b/windows/update/docfx.json @@ -32,7 +32,8 @@ "globalMetadata": { "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.windows-update" + "depot_name": "MSDN.windows-update", + "folder_relative_path_in_docset": "./" } } }, @@ -40,4 +41,4 @@ "template": [], "dest": "windows-update" } -} \ No newline at end of file +} diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 15581c3398..8095c10abd 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -41,7 +41,8 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-whats-new" + "depot_name": "MSDN.win-whats-new", + "folder_relative_path_in_docset": "./" } } }, @@ -50,4 +51,4 @@ "dest": "win-whats-new", "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index a48b1bcd0e..1798631ea3 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -29,7 +29,6 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## Learn more -- [Windows 10 roadmap](https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap) - [Windows 10 release information](https://technet.microsoft.com/windows/release-info) - [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) - [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 4a15ed3e75..dd8a314962 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -305,7 +305,7 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett ### Faster sign-in to a Windows 10 shared pc -If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc.md) in a flash! +If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! **To enable fast sign-in:** 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.