-- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx) - -> [!NOTE] -> To enter recovery mode, unplug the power cord and plug it in again three times. - ## Contact Support If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). diff --git a/devices/surface-hub/surface-hub-security.md b/devices/surface-hub/surface-hub-security.md index 4dc2b7518e..faee5ad929 100644 --- a/devices/surface-hub/surface-hub-security.md +++ b/devices/surface-hub/surface-hub-security.md @@ -5,7 +5,7 @@ keywords: separate values with commas ms.prod: surface-hub ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin manager: laurawi audience: Admin ms.topic: article diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 8e584f17b3..673c77e71c 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -24,6 +24,23 @@ Please refer to the “[Surface Hub Important Information](https://support.micro ## Windows 10 Team Creators Update 1703 +
+
+
May 4, 2020—update for Surface Hub 2S
+ +This update is specific to the Surface Hub 2S and provides the driver and firmware updates outlined below: + +* Surface USB audio driver - 15.3.6.0 + * Improves directional audio performance. +* Intel(R) display audio driver - 10.27.0.5 + * Improves screen sharing scenarios. +* Intel(R) graphics driver - 26.20.100.7263 + * Improves system stability. +* Surface System driver - 1.7.139.0 + * Improves system stability. +* Surface SMC Firmware update - 1.176.139.0 + * Improves system stability. +February 28, 2020—update for Surface Hub 2S
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 5adf5c3ca4..bc2ee2a9fa 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -29,21 +29,21 @@ ### [Deploy Surface devices](deploy.md) ### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) +### [Windows Virtual Desktop on Surface](windows-virtual-desktop-surface.md) ### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) ### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md) ### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) ### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) -### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) ### [Enable the Surface Laptop keyboard during MDT deployment](enable-surface-keyboard-for-windows-pe-deployment.md) ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) ### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) -### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) ### [Surface System SKU reference](surface-system-sku-reference.md) ## Manage ### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) +### [Manage Surface driver updates in Configuration Manager](manage-surface-driver-updates-configuration-manager.md) ### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md) ### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) ### [Surface Dock Firmware Update](surface-dock-firmware-update.md) @@ -51,16 +51,18 @@ ### [Surface Brightness Control](microsoft-surface-brightness-control.md) ### [Surface Asset Tag](assettag.md) - ## Secure + ### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) ### [Manage Surface UEFI settings](manage-surface-uefi-settings.md) ### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) ### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) +### [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md) ### [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) ### [Surface Data Eraser](microsoft-surface-data-eraser.md) +### [Surface DMA Protection](dma-protect.md) ## Troubleshoot ### [Top support solutions for Surface devices](support-solutions-surface.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index 017f34559f..4abd9e0c86 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -11,7 +11,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md index 296a57b10e..6d9533bb52 100644 --- a/devices/surface/assettag.md +++ b/devices/surface/assettag.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 35be5e736d..b1aed6e997 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index f68989b045..e8ce13b98d 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index 70d53dae71..cb492c2620 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md index 121be61007..fc2956ead6 100644 --- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md +++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, store ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index 47f14939db..bb8e62fb6b 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index a7220315da..7431a22a8a 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -8,7 +8,7 @@ ms.sitesec: library author: coveminer ms.reviewer: manager: laurawi -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/dma-protect.md b/devices/surface/dma-protect.md new file mode 100644 index 0000000000..93909724b7 --- /dev/null +++ b/devices/surface/dma-protect.md @@ -0,0 +1,22 @@ +--- +title: Surface DMA Protection +description: This article describes DMA protection on compatible Surface devices +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 6/10/2020 +ms.reviewer: carlol +manager: laurawi +audience: itpro +--- +# DMA Protection on Surface devices + +Direct Memory Access (DMA) protection is designed to mitigate potential security vulnerabilities associated with using removable SSDs or external storage devices. Newer Surface devices come with DMA Protection enabled by default. These include Surface Pro 7, Surface Laptop 3, and Surface Pro X. To check the presence of DMA protection feature on your device, open System Information (**Start** > **msinfo32.exe**), as shown in the figure below. + + + +If a Surface removable SSD is tampered with, the device will shutoff power. The resulting reboot causes UEFI to wipe memory, to erase any residual data. diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md index 0d49be965e..0014ad0c25 100644 --- a/devices/surface/documentation/surface-system-sku-reference.md +++ b/devices/surface/documentation/surface-system-sku-reference.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- # Surface System SKU Reference @@ -26,6 +26,7 @@ System SKU is a variable (along with System Model and others) stored in System M | Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 | | Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer | | Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial | +| Surface Go 2 | Surface Go 2 | Surface_Go_2_1927 | | Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer | | Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | | Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index d51a90413e..36f05515f3 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md index 18011a1ca5..4f3c602781 100644 --- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md +++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md @@ -97,6 +97,29 @@ To support Surface Laptop 3 with Intel Processor, import the following folders: - SurfaceUpdate\SurfaceSerialHub - SurfaceUpdate\SurfaceHotPlug - SurfaceUpdate\Itouch + +Importing the following folders will enable full keyboard, trackpad, and touch functionality in PE for Surface Laptop 3. + +- IclSerialIOGPIO +- IclSerialIOI2C +- IclSerialIOSPI +- IclSerialIOUART +- itouch +- IclChipset +- IclChipsetLPSS +- IclChipsetNorthpeak +- ManagementEngine +- SurfaceAcpiNotify +- SurfaceBattery +- SurfaceDockIntegration +- SurfaceHidMini +- SurfaceHotPlug +- SurfaceIntegration +- SurfaceSerialHub +- SurfaceService +- SurfaceStorageFwUpdate + + > [!NOTE] > Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released. diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 56282326a4..6eb848da41 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index c35dbe0630..a68242b88a 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- @@ -28,7 +28,7 @@ Network deployment to Surface devices can pose some unique challenges for system Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter. -The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters. +The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. For more information on potential conflicts with shared adapters, see [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) later in this article. Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware. @@ -67,7 +67,6 @@ For Windows 10, version 1511 and later – including the Windows Assessment and ## Manage MAC addresses with removable Ethernet adapters - Another consideration for administrators performing Windows deployment over the network is how you will identify computers when you use the same Ethernet adapter to deploy to more than one computer. A common identifier used by deployment technologies is the Media Access Control (MAC) address that is associated with each Ethernet adapter. However, when you use the same Ethernet adapter to deploy to multiple computers, you cannot use a deployment technology that inspects MAC addresses because there is no way to differentiate the MAC address of the removable adapter when used on the different computers. The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks. @@ -85,7 +84,7 @@ To access the firmware of a Surface device, follow these steps: When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**. -The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog. +The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374), a blog post on the Core Infrastructure and Security Blog. diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml index 9b0bd74d7e..0c309e50b7 100644 --- a/devices/surface/get-started.yml +++ b/devices/surface/get-started.yml @@ -28,20 +28,9 @@ landingContent: url: https://www.microsoft.com/surface/business/surface-go-2 - text: Surface Book 3 for Business url: https://www.microsoft.com/surface/business/surface-book-3 - - text: Surface Pro 7 for Business - url: https://www.microsoft.com/surface/business/surface-pro-7 - - text: Surface Pro X for Business - url: https://www.microsoft.com/surface/business/surface-pro-x - - text: Surface Laptop 3 for Business - url: https://www.microsoft.com/surface/business/surface-laptop-3 - - text: Surface Studio 2 for Business - url: https://www.microsoft.com/surface/business/surface-studio-2 - - - linkListType: video - links: - - text: Microsoft Mechanics Surface videos - url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ - + - text: Explore all Surface family products + url: https://www.microsoft.com/surface/business + # Card (optional) - title: Get started linkLists: @@ -52,78 +41,76 @@ landingContent: - text: Surface Book 3 Quadro RTX 3000 technical overview url: surface-book-quadro.md - text: What’s new in Surface Dock 2 - url: surface-dock-whats-new.md - - text: Surface and Endpoint Configuration Manager considerations - url: considerations-for-surface-and-system-center-configuration-manager.md - - text: Wake On LAN for Surface devices - url: wake-on-lan-for-surface-devices.md - + url: surface-dock-whats-new.md + # Card - title: Deploy Surface devices linkLists: - linkListType: deploy links: - - text: Manage and deploy Surface driver and firmware updates - url: manage-surface-driver-and-firmware-updates.md + - text: Surface Deployment Accelerator tool + url: microsoft-surface-deployment-accelerator.md - text: Autopilot and Surface devices url: windows-autopilot-and-surface-devices.md - - text: Deploying, managing, and servicing Surface Pro X - url: surface-pro-arm-app-management.md - - # Card + - text: Windows Virtual Desktop on Surface + url: windows-virtual-desktop-surface.md + + # Card - title: Manage Surface devices linkLists: - linkListType: how-to-guide links: - - text: Optimize Wi-Fi connectivity for Surface devices - url: surface-wireless-connect.md + - text: Manage and deploy Surface driver and firmware updates + url: manage-surface-driver-and-firmware-updates.md - text: Best practice power settings for Surface devices url: maintain-optimal-power-settings-on-Surface-devices.md - - text: Manage battery limit with UEFI - url: battery-limit.md + - text: Optimize Wi-Fi connectivity for Surface devices + url: surface-wireless-connect.md # Card - - title: Secure Surface devices + - title: Explore security guidance linkLists: - linkListType: how-to-guide links: + - text: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM) + url: secure-surface-dock-ports-semm.md - text: Intune management of Surface UEFI settings url: surface-manage-dfci-guide.md - - text: Surface Enterprise Management Mode (SEMM) - url: surface-enterprise-management-mode.md - text: Surface Data Eraser tool url: microsoft-surface-data-eraser.md - - # Card + + # Card - title: Discover Surface tools linkLists: - linkListType: how-to-guide links: - - text: Surface Dock Firmware Update - url: surface-dock-firmware-update.md - text: Surface Diagnostic Toolkit for Business url: surface-diagnostic-toolkit-for-business-intro.md - text: SEMM and UEFI url: surface-enterprise-management-mode.md - - text: Surface Brightness Control - url: microsoft-surface-brightness-control.md - text: Battery Limit setting url: battery-limit.md - # Card - - title: Support and community + # Card + - title: Browse support solutions linkLists: - linkListType: learn links: - text: Top support solutions url: support-solutions-surface.md - - text: Maximize your Surface battery life - url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life + - text: Protecting your data during Surface repair or service + url: https://support.microsoft.com/help/4023508/surface-faq-protecting-your-data-service - text: Troubleshoot Surface Dock and docking stations url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations - - linkListType: reference + +# Card + - title: Participate in Surface Community + linkLists: + - linkListType: learn links: - text: Surface IT Pro blog url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro - text: Surface Devices Tech Community url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices + - text: Microsoft Mechanics Surface videos + url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ diff --git a/devices/surface/images/manage-surface-driver-updates-1.png b/devices/surface/images/manage-surface-driver-updates-1.png new file mode 100644 index 0000000000..58cec90ea0 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-1.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-2.png b/devices/surface/images/manage-surface-driver-updates-2.png new file mode 100644 index 0000000000..26bcfcda74 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-2.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-3.png b/devices/surface/images/manage-surface-driver-updates-3.png new file mode 100644 index 0000000000..e1dafd7f15 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-3.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-4.png b/devices/surface/images/manage-surface-driver-updates-4.png new file mode 100644 index 0000000000..5e6e4cafb4 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-4.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-1.png b/devices/surface/images/secure-surface-dock-ports-semm-1.png new file mode 100644 index 0000000000..d1eeafaf12 Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-1.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-2.png b/devices/surface/images/secure-surface-dock-ports-semm-2.png new file mode 100644 index 0000000000..db8de73dbf Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-2.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-3.png b/devices/surface/images/secure-surface-dock-ports-semm-3.png new file mode 100644 index 0000000000..c9cf60aad3 Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-3.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-4.png b/devices/surface/images/secure-surface-dock-ports-semm-4.png new file mode 100644 index 0000000000..0b19c52652 Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-4.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-5.png b/devices/surface/images/secure-surface-dock-ports-semm-5.png new file mode 100644 index 0000000000..0d4c7df937 Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-5.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-6.png b/devices/surface/images/secure-surface-dock-ports-semm-6.png new file mode 100644 index 0000000000..c5f6c3ca1f Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-6.png differ diff --git a/devices/surface/images/systeminfodma.png b/devices/surface/images/systeminfodma.png new file mode 100644 index 0000000000..46c86e9dd6 Binary files /dev/null and b/devices/surface/images/systeminfodma.png differ diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index c250085467..17e6d48fb1 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index 36197ca93f..e7c739be75 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index 75ccff3070..39fccb3ec4 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -11,18 +11,18 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- # Manage and deploy Surface driver and firmware updates - + How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distribute updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network. > [!NOTE] > This article is intended for technical support agents and IT professionals and applies to Surface devices only. If you're looking for help to install Surface updates or firmware on a home device, see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). - + While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for sustaining a stable production environment and ensuring users aren't blocked from being productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals. ## Central update management in commercial environments @@ -32,18 +32,17 @@ Microsoft has streamlined tools for managing devices – including driver and fi ### Manage updates with Configuration Manager and Intune Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed, and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. - + For detailed steps, see the following resources: -- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager) -- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). +- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager) +- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications) - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/) - ### Manage updates with Microsoft Deployment Toolkit Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. These include the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). - + For detailed steps, see the following resources: - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) @@ -54,7 +53,6 @@ Surface driver and firmware updates are packaged as Windows Installer (*.msi) fi For instructions on how to deploy updates by using Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). - **WindowsPE and Surface firmware and drivers** Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. @@ -65,13 +63,12 @@ Starting in Endpoint Configuration Manager, you can synchronize and deploy Micro ## Supported devices -Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. - +Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. ## Managing firmware with DFCI With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see: - + - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). @@ -93,7 +90,6 @@ Specific versions of Windows 10 have separate .msi files, each containing all re - Management engine (ME) - Unified extensible firmware interface (UEFI) - ### Downloading .msi files 1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center. @@ -102,8 +98,7 @@ Specific versions of Windows 10 have separate .msi files, each containing all re  *Figure 1. Downloading Surface updates* - - + ### Surface .msi naming convention Since August 2019, .msi files have used the following naming convention: @@ -120,14 +115,15 @@ This file name provides the following information: - **Windows release:** Win10 - **Build:** 18362 - **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows: - - **Year:** 19 (2019) - - **Month and week:** 073 (third week of July) - - **Minute of the month:** 44195 + - **Year:** 19 (2019) + - **Month and week:** 073 (third week of July) + - **Minute of the month:** 44195 - **Revision of version:** 0 (first release of this version) ### Legacy Surface .msi naming convention + Legacy .msi files (files built before August 2019) followed the same overall naming formula but used a different method to derive the version number. - **** + **Example** - SurfacePro6_Win10_16299_1900307_0.msi @@ -138,18 +134,16 @@ This file name provides the following information: - **Windows release:** Win10 - **Build:** 16299 - **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows: - - **Year:** 19 (2019) - - **Number of release:** 003 (third release of the year) - - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro) + - **Year:** 19 (2019) + - **Number of release:** 003 (third release of the year) + - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro) - **Revision of version:** 0 (first release of this version) - - ## Learn more - [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) -- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager) -- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). +- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager) +- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications) - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/) - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) - [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit) @@ -157,4 +151,3 @@ This file name provides the following information: - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). - [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) - diff --git a/devices/surface/manage-surface-driver-updates-configuration-manager.md b/devices/surface/manage-surface-driver-updates-configuration-manager.md new file mode 100644 index 0000000000..a6fc726ee7 --- /dev/null +++ b/devices/surface/manage-surface-driver-updates-configuration-manager.md @@ -0,0 +1,181 @@ +--- +title: Manage Surface driver updates in Configuration Manager +description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices. +ms.assetid: b64879c4-37eb-4fcf-a000-e05cbb3d26ea +ms.reviewer: +author: v-miegge +manager: laurawi +keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB +ms.localizationpriority: medium +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: coveminer +ms.author: daclark +ms.topic: article +audience: itpro +--- + +# Manage Surface driver updates in Configuration Manager + +## Summary + +Starting in [Microsoft System Center Configuration Manager version 1710](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1710#software-updates), you can synchronize and deploy Microsoft Surface firmware and driver updates directly through the Configuration Manager client. The process resembles deploying regular updates. However, some additional configurations are required to get the Surface driver updates into your catalog. + +## Prerequisites + +To manage Surface driver updates, the following prerequisites must be met: + +- You must use Configuration Manager version 1710 or a later version. +- All Software Update Points (SUPs) must run Windows Server 2016 or a later version. Otherwise, Configuration Manager ignores this setting and Surface drivers won't be synchronized. + +> [!NOTE] +> If your environment doesn’t meet the prerequisites, refer to the [alternative methods](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager#1) to deploy Surface driver and firmware updates in the [FAQ](#frequently-asked-questions-faq) section. + +## Useful log files + +The following logs are especially useful when you manage Surface driver updates. + +|Log name|Description| +|---|---| +|WCM.log|Records details about the software update point configuration and connections to the WSUS server for subscribed update categories, classifications, and languages.| +|WsyncMgr.log|Records details about the software updates sync process.| + +These logs are located on the site server that manages the SUP, or on the SUP itself if it's installed directly on a site server. +For a complete list of Configuration Manager logs, see [Log files in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/log-files). + +## Enabling Surface driver updates management + +To enable Surface driver updates management in Configuration Manager, follow these steps: + +1. In the Configuration Manager console, go to **Administration** > **Overview** > **Site Configuration** > **Sites**. +1. Select the site that contains the top-level SUP server for your environment. +1. On the ribbon, select **Configure Site Components**, and then select **Software Update Point**. Or, right-click the site, and then select **Configure Site Components** > **Software Update Point**. +1. On the **Classifications** tab, select the **Include Microsoft Surface drivers and firmware updates** check box. + +  + +1. When you're prompted by the following warning message, select **OK**. + +  + +1. On the Products tab, select the products that you want to update, and then select **OK**. + + Most drivers belong to the following product groups: + + - Windows 10 and later version drivers + - Windows 10 and later Upgrade & Servicing Drivers + - Windows 10 Anniversary Update and Later Servicing Drivers + - Windows 10 Anniversary Update and Later Upgrade & Servicing Drivers + - Windows 10 Creators Update and Later Servicing Drivers + - Windows 10 Creators Update and Later Upgrade & Servicing Drivers + - Windows 10 Fall Creators Update and Later Servicing Drivers + - Windows 10 Fall Creators Update and Later Upgrade & Servicing Drivers + - Windows 10 S and Later Servicing Drivers + - Windows 10 S Version 1709 and Later Servicing Drivers for testing + - Windows 10 S Version 1709 and Later Upgrade & Servicing Drivers for testing + + > [!NOTE] + > Most Surface drivers belong to multiple Windows 10 product groups. You may not have to select all the products that are listed here. To help reduce the number of products that populate your Update Catalog, we recommend that you select only the products that are required by your environment for synchronization. + +## Verifying the configuration + +To verify that the SUP is configured correctly, follow these steps: + +1. Open WsyncMgr.log, and then look for the following entry: + + ```console + Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set. + + Sync Catalog Drivers SCF value is set to : 1 + ``` + + If either of the following entries is logged in WsyncMgr.log, recheck step 4 in the previous section: + + ```console + Sync Surface Drivers option is not set + + Sync Catalog Drivers SCF value is set to : 0 + ``` + +1. Open WCM.log, and then look for an entry that resembles the following: + +  + + This entry is an XML element that lists every product group and classification that's currently synchronized by your SUP server. For example, you might see an entry that resembles the following: + + ```xml +- SHA 256 Key Usage:
CERT_DIGITAL_SIGNATURE_KEY_USAGE
- CERT_KEY_CERT_SIGN_KEY_USAGE
CERT_CRL_SIGN_KEY_USAGE|30 years|N/A +|Dock Certificate Authority|ECC P256 curve|- Host certificate with 256-bit elliptic-curve cryptography (ECC)
- SHA 256 Key Usage:
CERT_KEY_CERT_SIGN_KEY_USAGE
- Path Length Constraint = 0|20 years|1.3.6.1.4.1.311.76.9.21.2
1.3.6.1.4.1.311.76.9.21.3| + + >[!NOTE] + >The dock CA must be exported as a .p7b file. + +### Provisioning Administration Certificate requirements + +Each host device must have the doc CA and two certificates as shown in Table 2. + +#### Table 2. Provisioning administration certificate requirements + +|Certificate|Algorithm|Description|EKU OID| +|---|---|---|---| +|Host authentication certificate|ECC P256
SHA 256|Proves the identity of the host device.|1.3.6.1.4.1.311.76.9.21.2| +|Provisioning administration certificate|ECC P256
SHA256|Enables you to change dock ownership and/or policy settings by allowing you to replace the CA that's currently installed on the dock.|1.3.6.1.4.1.311.76.9.21.3
1.3.6.1.4.1.311.76.9.21.4| + + >[!NOTE] + >The host authentication and provisioning certificates must be exported as .pfx files. + +### Create configuration package + +When you have obtained or created the certificates, you’re ready to build the MSI configuration package that will be applied to target Surface devices. + +1. Run Surface **UEFI Configurator**. + +  + +1. Select **Surface Dock**. + +  + +1. On the certificate page, enter the appropriate **certificates**. + +  + +1. Add appropriate dock RNs to the list. + + >[!NOTE] + >When creating a configuration package for multiple Surface Dock 2 devices, instead of entering each RN manually, you can use a .csv file that contains a list of RNs. + +1. Specify your policy settings for USB data, Ethernet, and Audio ports. UEFI Configurator lets you configure policy settings for authenticated users (Authenticated Policy) and unauthenticated users (Unauthenticated Policy). The following figure shows port access turned on for authenticated users and turned off for unauthenticated users. + +  + + - Authenticated user refers to a Surface Device that has the appropriate certificates installed, as configured in the .MSI configuration package that you applied to target devices. It applies to any user authenticated user who signs into the device. + - Unauthenticated user refers to any other device. + - Select **Reset** to create a special “Reset” package that will remove any previous configuration package that the dock had accepted. + +1. Select **Build** to create the package as specified. + +### Apply the configuration package to a Surface Dock 2 + +1. Take the MSI file that the Surface UEFI Configurator generated and install it on a Surface host device. Compatible host devices are Surface Book 3, Surface Laptop 3, or Surface Pro 7. +1. Connect the host device to the Surface Dock 2. When you connect the dock UEFI policy settings are applied. + +## Verify managed state using the Surface App + +Once you have applied the configuration package, you can quickly verify the resultant policy state of the dock directly from the Surface App, installed by default on all Surface devices. If Surface App isn't present on the device, you can download and install it from the Microsoft Store. + +### Test scenario + +Objective: Configure policy settings to allow port access by authenticated users only. + +1. Turn on all ports for authenticated users and turn them off for unauthenticated users. + +  + +1. Apply the configuration package to your target device and then connect Surface Dock 2. + +1. Open **Surface App** and select **Surface Dock** to view the resultant policy state of your Surface Dock. If the policy settings are applied, Surface App will indicate that ports are available. + +  + +1. Now you need to verify that the policy settings have successfully turned off all ports for unauthenticated users. Connect Surface Dock 2 to an unmanaged device, i.e., any Surface device outside the scope of management for the configuration package you created. + +1. Open **Surface App** and select **Surface Dock**. The resultant policy state will indicate ports are turned off. + +  + +>[!NOTE] +>If you want to keep ownership of the device, but allow all users full access, you can make a new package with everything turned on. If you wish to completely remove the restrictions and ownership of the device (make it unmanaged), select **Reset** in Surface UEFI Configurator to create a package to apply to target devices. + +Congratulations. You have successfully managed Surface Dock 2 ports on targeted host devices. + +## Learn more + +- [Surface Enterprise Management Mode (SEMM) documentation](https://docs.microsoft.com/surface/surface-enterprise-management-mode) +- [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture) +- [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277) +- [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788) diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md deleted file mode 100644 index e10b8209c9..0000000000 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ /dev/null @@ -1,410 +0,0 @@ ---- -title: Step by step Surface Deployment Accelerator (Surface) -description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. -ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032 -ms.reviewer: -manager: laurawi -ms.localizationpriority: medium -keywords: deploy, configure -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: surface, devices -ms.sitesec: library -author: coveminer -ms.author: v-jokai -ms.topic: article -ms.date: 10/31/2019 ---- - -# Step by step: Surface Deployment Accelerator - -This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This article also contains instructions on how to perform these tasks without an Internet connection or without support for Windows Deployment Services network boot (PXE). - -> [!NOTE] -> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). - -## How to install Surface Deployment Accelerator - -For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md). - -1. Download SDA, which is included in [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center. - -2. Run the SDA installation file, named **Surface\_Deployment\_Accelerator\_*xxxx*.msi**, where *xxxx* is the current version number. - -3. Accept the End User License Agreement (EULA) by selecting the check box, and then click **Install**, as shown in Figure 1. - -  - - *Figure 1. SDA setup* - -4. Click **Finish** to complete the installation of SDA. - -The tool installs in the SDA program group, as shown in Figure 2. - - - -*Figure 2. The SDA program group and icon* - ->[!NOTE] ->At this point, the tool has not yet prepared any deployment environment or downloaded any materials from the Internet. - -## Create a deployment share - -The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps. - ->[!NOTE] ->SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice. - -1. Open the SDA wizard by double-clicking the icon in the **Surface Deployment Accelerator** program group on the Start screen. - -2. On the **Welcome** page, click **Next** to continue. - -3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue. - - >[!NOTE] - >As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows: - > * Deployment tools - > * User State Migration Tool (USMT) - > * Windows Preinstallation Environment (WinPE) - - > [!NOTE] - > As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1. - -4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue. - -5. On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue: - - - **Configure Deployment Share for Windows 10** - - - **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3. - - - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**. - - - **Windows 10 Deployment Services** - - - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot. - - - **Windows 10 Source Files** - - - **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**. - -  - - *Figure 3. Specify Windows 10 deployment share options* - -6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue. - -  - - *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers* - - >[!NOTE] - >You cannot select both Surface 3 and Surface 3 LTE models at the same time. - -7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes: - - - Download of Windows ADK - - - Installation of Windows ADK - - - Download of MDT - - - Installation of MDT - - - Download of Surface apps and drivers - - - Creation of the deployment share - - - Import of Windows installation files into the deployment share - - - Import of the apps and drivers into the deployment share - - - Creation of rules and task sequences for Windows deployment - -  - - *Figure 5. The Installation Progress window* - - ### Optional: Workaround for Webclient exception - - You may see this error message while installing the latest version of ADK or MDT: _An exception occurred during a WebClient request._ This is due to incompatibility between the Surface Deployment Accelerator (SDA) and Background Intelligent Transfer Service (BITS). To work around this issue, do the following. - - In the two PowerShell scripts: - - ```PowerShell - %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1 - %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1 - ``` - - Edit the $BITSTransfer variable in the input parameters to $False as shown below: - - ```PowerShell - Param( - [Parameter( - Position=0, - Mandatory=$False, - HelpMessage="Download via BITS bool true/false" - )] - [string]$BITSTransfer = $False - ) - ``` - -8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices. - - ### Optional: Create a deployment share without an Internet connection - - If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver and app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6. - - >[!NOTE] - >All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step. - - >[!NOTE] - >The driver and app files do not need to be extracted from the downloaded .zip files. - - >[!NOTE] - >Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files. - -  - - *Figure 6. Specify the Surface driver and app files from a local path* - - >[!NOTE] - >The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later. - - ### Optional: Prepare offline USB media - - You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network. For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA deployment share and can be run on a Surface device without a network connection. - - >[!NOTE] - >The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended. - - Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB drive, you must first configure that USB drive to be bootable. Using [DiskPart](https://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and then run the following sequence of commands, as shown in Figure 7: - - 1. **diskpart** – Opens DiskPart to manage disks and partitions. - - 2. **list disk** – Displays a list of the disks available in your system; use this list to identify the disk number that corresponds with your USB drive. - - 3. **sel disk 2** – Selects your USB drive; use the number that corresponds with the disk in your system. - - 4. **clean** – Removes all configuration from your USB drive. - - >[!WARNING] - >This step will remove all information from your drive. Verify that your USB drive does not contain any needed data before you perform the **clean** command. - - 5. **create part pri** – Creates a primary partition on the USB drive. - - 6. **format fs=fat32 quick** – Formats the partition with the FAT32 file system, performing a quick format. FAT32 is required to boot the device from UEFI systems like Surface devices. - - 7. **assign** – Assigns the next available drive letter to the newly created FAT32 volume. - - 8. **active** – Sets the partition to be active, which is required to boot the volume. - - 9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window. - -  - - *Figure 7. Use DiskPart to prepare a USB drive for boot* - - >[!NOTE] - >You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly. - - After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA deployment share. To create this media, follow these steps: - - 1. Open the **Deployment Workbench** from the **Microsoft Deployment Toolkit** group on your Start screen. - - 2. Expand the **Deployment Shares** node and the **Microsoft Surface Deployment Accelerator** deployment share. - - 3. Expand the folder **Advanced Configuration** and select the **Media** folder. - -4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard. - -  - - *Figure 8. The Media folder of the SDA deployment share* - - 5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**. - -  - - *Figure 9. Specify a location and selection profile for your offline media* - - 6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media. - - 7. A **Progress** page is displayed while the media is created. - - 8. On the **Confirmation** page, click **Finish** to complete creation of the media. - - 9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10. - -  - - *Figure 10. Rules of the SDA deployment share* - - 10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text. - - 11. Click **OK** to close the **Microsoft Surface Deployment Accelerator** deployment share properties. - - 12. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab. - - 13. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+V** to paste the text you copied from the **Microsoft Surface Deployment Accelerator** deployment share rules. - - 14. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. - - 15. Press **Ctrl+A** to select all of the text in the window, and then press **Ctrl+C** to copy the text. - - 16. Close Bootstrap.ini and click **OK** in **Microsoft Surface Deployment Accelerator** deployment share properties to close the window. - - 17. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. - - 18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the SDA deployment share Bootstrap.ini file. - - 19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file: - - ```PowerShell - UserID= - UserDomain= - UserPassword= - DeployRoot=\\SDASERVER\SDAWin10 - UserID= - UserDomain= - UserPassword= - ``` - -  - - *Figure 11. The Bootstrap.ini file of MEDIA001* - - 20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window. - - 21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share. - -  - - *Figure 12. Select the Update Media Content option* - - 22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.** - - The final step is to copy the offline media files to your USB drive. - - 1. In File Explorer, open the path you specified in Step 5, for example **E:\\SDAMedia**. - - 2. Copy all of the files from the Content folder to the root of the USB drive. - - Your USB drive is now configured as bootable offline media that contains all of the resources required to perform a deployment to a Surface device. - -## SDA task sequences - -The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 2 Lite Touch components](https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components). - - - -*Figure 13. Task sequences in the Deployment Workbench* - -### Deploy Microsoft Surface - -The **1 – Deploy Microsoft Surface** task sequence is used to perform a complete deployment of Windows to a Surface device. This task sequence is pre-configured by the SDA wizard and is ready to perform a deployment as soon as the wizard completes. Running this task sequence on a Surface device deploys the unaltered Windows image copied directly from the Windows installation media you specified in the SDA wizard, along with the Surface drivers for your device. The drivers for your Surface device will be automatically selected through the pre-configured deployment share rules. - -When you run the task sequence, you will be prompted to provide the following information: - -- A computer name - -- Your domain information and the credentials required to join the domain - -- A product key, if one is required - - >[!NOTE] - >If you are deploying the same version of Windows as the version that came on your device, no product key is required. - -- A time zone - -- An Administrator password - -The Surface apps you specified on the **Configure** page of the SDA wizard are automatically installed when you run this task sequence on a Surface device. - -### Create Windows reference image - -The **2 – Create Windows Reference Image** task sequence is used to perform a deployment to a virtual machine for the purpose of capturing an image complete with Windows Updates for use in a deployment to Surface devices. By installing Windows Updates in your reference image, you eliminate the need to download and install those updates on each deployed Surface device. The deployment process with an up-to-date image is significantly faster and more efficient than performing a deployment first and then installing Windows Updates on each device. - -Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations. - ->[!NOTE] ->Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and Microsoft Endpoint Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt). - -In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard. - -## Deployment to Surface devices - - -To perform a deployment from the SDA deployment share, follow this process on the Surface device: - -1. Boot the Surface device to MDT boot media for the SDA deployment share. You can do this over the network by using PXE boot, or from a USB drive as described in the [Optional: Prepare offline USB media](#optional) section of this article. - -2. Select the deployment share for the version of Windows you intend to deploy and enter your credentials when you are prompted. - -3. Select the task sequence you want to run, usually the **1 – Deploy Microsoft Surface** task sequence. - -4. Address the task sequence prompts to pick applications, supply a password, and so on. - -5. The task sequence performs the automated deployment using the options specified. - -### Boot the Surface device from the network - -To boot the Surface device from the network, the Microsoft Surface Deployment Accelerator wizard must have been run on a Windows Server 2012 R2 or later environment that was configured with the Windows Deployment Services (WDS). WDS must have been configured to respond to network boot (PXE boot) requests and the boot files must have been imported into WDS. The SDA wizard will import these file automatically if the **Import boot media into the local Windows Deployment Service** check box was selected on the page for the version of Windows you intend to deploy. - -To boot the Surface device from the network, you must also use a Microsoft Surface Ethernet Adapter or the Ethernet port on a Microsoft Surface Dock. Third-party Ethernet adapters are not supported for network boot (PXE boot). A keyboard is also required. Both the Microsoft Surface Type Cover and keyboards connected via USB to the device or dock are supported. - -To instruct your Surface device to boot from the network, start with the device powered off and follow these steps: - -1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the network. - -2. Press **Enter** when prompted by the dialog on the screen. This prompt indicates that your device has found the WDS PXE server over the network. - -3. If you have configured more than one deployment share on this device, you will be prompted to select between the boot images for each deployment share. For example, if you created both a Windows 10 and a Windows 8.1 deployment share, you will be prompted to choose between these two options. - -4. Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14. - -  - - *Figure 14. The prompt for credentials to the deployment share* - -5. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process. - -### Alternatively boot the devices from the USB stick - -To boot a device from the USB stick: - -1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the USB drive. - -2. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process. - -### Run the Deploy Microsoft Surface task sequence - -To run the Deploy Microsoft Surface task sequence: - -1. On the **Task Sequence** page, select the **1 – Deploy Microsoft Surface** task sequence as shown in Figure 15, and then click **Next.** - -  - - *Figure 15. Select the 1 – Deploy Microsoft Surface task sequence* - -2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**. - -  - - *Figure 16. Enter the computer name and domain information* - -3. On the **Product Key** page, keep the **No product key is required** check box selected if you are deploying the same version and edition of Windows to your Surface devices as they came with from the factory. If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise, select the licensing option that is applicable to your scenario. - -4. On the **Locale and Time** page, select your desired **Language Settings** and **Time Zone**, and then click **Next.** - -5. On the **Administrator Password** page, type a password for the local Administrator account on the Surface device, and then click **Next.** - -6. On the **BitLocker** page, select the **Enable BitLocker** option along with your desired configuration of BitLocker protectors if you want to encrypt the device. Otherwise, keep the **Do not enable BitLocker for this computer** check box selected, and then click **Next.** - -7. On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will close and an **Installation Progress** window is displayed to show progress of the task sequence as the image is applied and applications are installed (Figure 17). - -  - - *Figure 17. The Installation Progress window* - -8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device. diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index ab4c3a46c4..d9f0e6200d 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -10,7 +10,7 @@ ms.mktglfcycl: support ms.sitesec: library ms.pagetype: surfacehub author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 09/26/2019 ms.localizationpriority: medium diff --git a/devices/surface/surface-book-quadro.md b/devices/surface/surface-book-quadro.md index eaf5870411..c1e6f3bcc2 100644 --- a/devices/surface/surface-book-quadro.md +++ b/devices/surface/surface-book-quadro.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 5/06/2020 ms.reviewer: brrecord @@ -15,29 +15,29 @@ audience: itpro --- # Surface Book 3 Quadro RTX 3000 technical overview - -Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, and advanced graphics and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3: -- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing. +Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, advanced graphics, and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3: + +- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing. - **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI. - **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory. ## Enterprise grade solution -Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance. +Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional-grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs, providing an additional layer of quality assurance to validate stability, reliability, and performance. -Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements. +Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems, and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements. -NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update. +NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man-days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update. ## Built for compute-intensive workloads -Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere. +The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere. - **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan. - **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes. -- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs. +- **Software developers across manufacturing, media and entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs. - **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research. @@ -45,14 +45,14 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an | **Component** | **Description** | | --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. | -| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. | +| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. | +| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. | | Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. | | NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. | -| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance. | -| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications. | +| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain the best application performance. | +| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer, making it the ideal platform for handling large datasets and latency-sensitive applications. | | Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. | -| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. | +| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. | | Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. | | Compute preemption | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out. | | H.264, H.265 and HEVC encode/decode engines | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline. | @@ -86,7 +86,7 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an ## App acceleration -The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020. +The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing the Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus the Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in the market as of March 2020. **Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000** @@ -95,23 +95,23 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce | Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. | | Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. | | Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows.
| -| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers
- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.
- DXR-accelerated light and ambient occlusion baking. | -| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly. | +| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers
- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray that is compatible with MDL.
- DXR-accelerated light and ambient occlusion baking. | +| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, and perspective warp enable photographers and designers to modify images smoothly and quickly. | | Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.
- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.
- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. | | Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. | -| Adobe
Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:
- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.
- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. | +| Adobe
Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU.
- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.
- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. | | Autodesk
Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.
- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. | -| Autodesk
3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.
- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.
- More than 70 percent faster compared with Surface Book 2 15”. | +| Autodesk
3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.
- RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- More than 70 percent faster compared with Surface Book 2 15”. | | Autodesk
Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- OpenGL Viewport Acceleration. | -| Dassault Systemes
Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.
- Runs more than 50% faster compared with Surface Book 2 15” | -| Dassault Systemes
3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.
- Catia runs more than 100% faster compared with Surface Book 2 15. | -| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”.. | +| Dassault Systemes
Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.
- Runs more than 50% faster compared with Surface Book 2 15”. | +| Dassault Systemes
3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.
- Catia runs more than 100% faster compared with Surface Book 2 15". | +| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”. | | McNeel & Associates
Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.
- Supports Cycles for GPU-accelerated 3D rendering. | -| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.
- Runs more than 10 x faster compared with Surface Book 2 15”.. | -| Esri ArcGIS | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores. | +| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.
- Runs more than 10x faster compared with Surface Book 2 15”. | +| Esri ArcGIS | - Real-time results from what took days and weeks, due to DL inferencing leveraging tensor cores. | | PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.
- Runs more than 15% faster compared with Surface Book 2 15”. | | Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. | -| ANSYS
Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA | +| ANSYS
Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA. | ## SKUs **Table 4. Surface Book 3 with Quadro RTX 3000 SKUs** @@ -123,7 +123,7 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce ## Summary -Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere: +The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere: - RTX-acceleration across multiple workflows like design, animation, video production, and more. - Desktop-grade performance in a mobile form factor. @@ -133,4 +133,4 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on an - [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md) - [Surface for Business](https://www.microsoft.com/surface/business) -- [Microsoft Cognitive Toolkit (CNTK)](https://docs.microsoft.com/cognitive-toolkit/) \ No newline at end of file +- [Microsoft Cognitive Toolkit (CNTK)](https://docs.microsoft.com/cognitive-toolkit/) diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md index 044b0e0437..19eb605696 100644 --- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md +++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 11a032fb45..ae9ddc100b 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -6,12 +6,12 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article -ms.date: 10/31/2019 +ms.date: 05/11/2020 ms.reviewer: hachidan manager: laurawi -ms.audience: itpro +audience: itpro --- # Deploy Surface Diagnostic Toolkit for Business @@ -41,6 +41,9 @@ Command line | Directly troubleshoot Surface devices remotely without user inter SDT for Business is supported on Surface 3 and later devices, including: +- Surface Book 3 +- Surface Go 2 +- Surface Pro X - Surface Pro 7 - Surface Laptop 3 - Surface Pro 6 @@ -116,6 +119,7 @@ In addition to the .exe file, SDT installs a JSON file and an admin.dll file (mo *Figure 2. Files installed by SDT* + ## Preparing the SDT package for distribution Creating a custom package allows you to target the tool to specific known issues. @@ -170,6 +174,18 @@ You can select to run a wide range of logs across applications, drivers, hardwar - [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) ## Changes and updates + +### Version 2.94.139.0 +*Release date: May 11, 2020*
+This version of Surface Diagnostic Toolkit for Business adds support for the following: + +- Ability to skip Windows Update to perform hardware check. +- Ability to receive notifications for about the latest version update +- Surface Go 2 +- Surface Book 3 +- Show progress indicator + + ### Version 2.43.139.0 *Release date: October 21, 2019*
This version of Surface Diagnostic Toolkit for Business adds support for the following: diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index 035eec60da..d7b8828415 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md index 795bff7f7f..7734d2a4fa 100644 --- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 2b19282899..10939f979e 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: cottmca manager: laurawi diff --git a/devices/surface/surface-dock-whats-new.md b/devices/surface/surface-dock-whats-new.md index 253a73b069..f3443b6c31 100644 --- a/devices/surface/surface-dock-whats-new.md +++ b/devices/surface/surface-dock-whats-new.md @@ -8,14 +8,14 @@ ms.sitesec: library author: coveminer ms.author: greglin ms.topic: article -ms.date: 5/06/2020 +ms.date: 5/29/2020 ms.reviewer: brrecord manager: laurawi audience: itpro --- # What’s new in Surface Dock 2 -Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. An extended set of management tools will be released via Windows update upon commercial distribution. +Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. Surface Enterprise Management Mode (SEMM) now enables IT admins to secure ports on Surface Dock 2. For more information, see [Secure Surface Dock 2 ports with Surface Enterprise Management Mode](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/secure-surface-dock-2-ports-with-surface-enterprise-management/ba-p/1418999). ## General system requirements @@ -28,8 +28,7 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo - Surface Book 2 - Surface Laptop 2 - Surface Go - - Surface Go with LTE Advanced - - Surface Studio 2 + - Surface Go with LTE Advanced - Surface Pro 7 - Surface Laptop 3 - Surface Book 3 @@ -86,7 +85,7 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo |Surflink|Yes|Yes| |USB-A|2 front facing USB 3.1 Gen 1
2 rear facing USB 3.1 Gen 1|2 rear facing USB 3.2 Gen 2 (7.5W power)| |Mini Display port|2 rear facing (DP1.2)|None| -|USB-C|None|2 front facing USB 3.2 Gen 2
[15W power]
2 rear facing USB 3.2 Gen 2 (DP1.4a)
[7.5W power]| +|USB-C|None|2 front facing USB 3.2 Gen 2
(15W power)
2 rear facing USB 3.2 Gen 2 (DP1.4a)
(7.5W power)| |3.5 mm Audio in/out|Yes|Yes| |Ethernet|Yes, 1 gigabit|Yes 1 gigabit| |DC power in|Yes|Yes| @@ -99,20 +98,18 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo |Wake-on-LAN from Connected Standby1|Yes|Yes| |Wake-on-LAN from S4/S5 sleep modes|No|Yes| |Network PXE boot|Yes|Yes| -|SEMM host access control|No|Coming in Windows Update2| -|SEMM port access control3|No|Coming in Windows Update| +|SEMM host access control|No|Yes +|SEMM port access control2|No|Yes| |Servicing support|MSI|Windows Update or MSI| |||| 1. *Devices must be configured for Wake on LAN via Surface Enterprise Management Mode (SEMM) or Device Firmware Control Interface (DFCI) to wake from Hibernation or Power-Off states. Wake from Hibernation or Power-Off is supported on Surface Pro 7, Surface Laptop 3, Surface Pro X, Surface Book 3, and Surface Go 2. Software license required for some features. Sold separately.* -2. *Pending release via Windows Update.* - -3. *Software license required for some features. Sold separately.* +2. *Software license required for some features. Sold separately.* ## Streamlined device management -Following the public announcement of Surface Dock 2, Surface will release streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features: +Surface has released streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features: - **Frictionless updates**. Update your docks silently and automatically, with Windows Update or Microsoft Endpoint Configuration Manager, (formerly System Center Configuration Manager - SCCM) or other MSI deployment tools. - **Wake from the network**. Manage and access corporate devices without depending on users to keep their devices powered on. Even when a docked device is in sleep, hibernation, or power off mode, your team can wake from the network for service and management, using Endpoint Configuration Manager or other enterprise management tools. @@ -120,5 +117,6 @@ Following the public announcement of Surface Dock 2, Surface will release stream ## Next steps +- [Secure Surface Dock 2 ports with Surface Enterprise Management Mode](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/secure-surface-dock-2-ports-with-surface-enterprise-management/ba-p/1418999) - [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) - [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index fc88993c64..c983e5f0f5 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -7,12 +7,13 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article -ms.reviewer: scottmca +ms.reviewer: hachidan manager: laurawi ms.localizationpriority: medium -ms.audience: itpro +audience: itpro +ms.date: 05/26/2020 --- # Microsoft Surface Enterprise Management Mode @@ -31,6 +32,9 @@ There are two administrative options you can use to manage SEMM and enrolled Sur The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. +>[!NOTE] +>You can now use Surface UEFI Configurator and SEMM to manage ports on Surface Dock 2. To learn more, see [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md). +  *Figure 1. Microsoft Surface UEFI Configurator* @@ -95,7 +99,7 @@ The following list shows all the available devices you can manage in SEMM: |Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled | | Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. | | Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. | -| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. | +| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the Boot page is displayed. | | DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. | @@ -227,9 +231,27 @@ create a reset package using PowerShell to reset SEMM. ## Version History -### Version 2.59. -* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. -- Support to Wake on Power feature +### Version 2.71.139.0 + +This version of SEMM adds support for Surface Dock 2 management features for Surface Book 3, Surface Laptop 3, and Surface Pro 7 including: + +- Enabling audio (locking/unlocking), Ethernet and USB ports +- Ability to create dock packages for both authenticated and unauthenticated hosts + +### Version 2.70.130.0 + +This version of SEMM includes: + +- Support for Surface Go 2 +- Support for Surface Book 3 +- Bug fixes + + +### Version 2.59.139.0 + +* Support for Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. + +- Support for Wake on Power feature ### Version 2.54.139.0 * Support to Surface Hub 2S @@ -263,6 +285,6 @@ create a reset package using PowerShell to reset SEMM. ## Related topics -[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) - -[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) +- [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) +- [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) +- [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md) diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index f21805f1a7..d9b08bd9e4 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 11/13/2019 ms.reviewer: jesko @@ -31,7 +31,7 @@ Until now, managing firmware required enrolling devices into Surface Enterprise Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console, now unified as [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). The following figure shows UEFI settings viewed directly on the device (left) and viewed in the Endpoint Manager console (right). - + Crucially, DFCI enables zero touch management, eliminating the need for manual interaction by IT admins. DFCI is deployed via Windows Autopilot using the device profiles capability in Intune. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain on-premises infrastructure. diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index 488eeca1a2..5b7adaf812 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: high ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 4/15/2020 ms.reviewer: jessko diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md index 4459d6052b..10f3e57bbd 100644 --- a/devices/surface/surface-pro-arm-app-performance.md +++ b/devices/surface/surface-pro-arm-app-performance.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 10/03/2019 ms.reviewer: jessko diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index c0de20193f..499e718991 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 03/09/2020 ms.reviewer: diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md index 24a358065b..34c653abc0 100644 --- a/devices/surface/surface-wireless-connect.md +++ b/devices/surface/surface-wireless-connect.md @@ -7,7 +7,7 @@ ms.sitesec: library author: coveminer ms.audience: itpro ms.localizationpriority: medium -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: tokatz manager: laurawi diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index 0caea932ab..6750387137 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index c9345502d8..7602e690be 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 21616dc89e..91c1b17875 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md deleted file mode 100644 index 0309d071ec..0000000000 --- a/devices/surface/using-the-sda-deployment-share.md +++ /dev/null @@ -1,172 +0,0 @@ ---- -title: Using the Microsoft Surface Deployment Accelerator deployment share (Surface) -description: Explore the scenarios where you can use SDA to meet the deployment needs of your organization including Proof of Concept, pilot deployment, as well as import additional drivers and applications. -keywords: deploy, install, automate, deployment solution -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: surface, devices -ms.sitesec: library -author: coveminer -ms.author: v-jokai -ms.topic: article -ms.localizationpriority: medium -ms.audience: itpro -ms.reviewer: -manager: laurawi ---- - -# Using the Microsoft Surface Deployment Accelerator deployment share - -With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment. - -For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/itpro/surface/microsoft-surface-deployment-accelerator). - -> [!NOTE] -> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). - -Using SDA provides these primary benefits: - -* With SDA, you can create a ready-to-deploy environment that can deploy to target devices as fast as your download speeds allow. The wizard experience enables you to check a few boxes and then the automated process builds your deployment environment for you. - -* With SDA, you prepare a deployment environment built on the industry leading deployment solution of MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution capable of deploying to thousands of devices including all of the different makes and models in your organization and all of the applications required by each device and user. - -This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail. - -## Perform a Proof of Concept deployment - -One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof of Concept* (PoC) enables you to test or evaluate the capabilities of a solution or technology. A PoC is often used to illustrate the benefits of the solution or technology to decision makers. For example, if you want to recommend Surface devices as a replacement of older point of sale (POS) systems, you could perform a PoC to demonstrate how Surface devices provide superior computing power, flexibility, and connectivity when compared to alternate options. - -Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information. - -SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Microsoft Store and desktop applications, and several models of Surface devices. - -Some recommendations for a successful PoC with SDA are: - -* Keep your SDA deployment environment separate from your production network. This ensures optimal performance and reduces potential for conflicts during your PoC deployment. - -* Use a fresh and updated instance of Windows Server to house your SDA deployment share to maintain the simplicity and performance of the demonstration environment. - -* Test the deployment process before you demonstrate your PoC. This reduces the potential for unexpected situations and keeps the demonstration focused on the deployment process and Surface devices. - -* Use offline files with SDA to further reduce installation times. - -* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/support/contact-us-business). - -## Perform a pilot deployment - -A pilot deployment differs from a PoC. Where a PoC is usually a closed demonstration that is performed prior to the deployment process in order to get approval for the use of certain technologies or solutions, a *pilot deployment* is performed during the deployment process as a limited scope deployment for testing and validation. The focus of a pilot deployment can be as narrow as only a handful of devices, or wide enough to include a significant portion of your organization. - ->[!NOTE] ->A pilot deployment should not replace the testing process that should be performed regularly in the lab as the deployment environment is built and developed. A deployment solution should be tested in virtual and physical environments as new applications and drivers are added and when task sequences are modified and before a pilot deployment is performed. - -For example, you are tasked with deploying Surface devices to mobile workers and you want to test the organization’s MDT deployment process by providing a small number of devices to executives. You can use SDA to create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers needed from the production deployment share. This not only enables you to quickly create a Surface deployment, but it also minimizes the risk to the production deployment process used for other types of devices. - -For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices. - -## Import additional drivers - -The SDA deployment share includes all of the drivers needed for Surface devices. This includes the drivers for the components inside the Surface device, such as the wireless network adapter and the main chipset, as well as drivers for Surface accessories, such as the Surface Dock or Surface USB Ethernet adapters. The SDA deployment share does not, however, include drivers for third-party devices or peripherals. - -For example, you may intend to use your Surface device with a thermal printer, credit card reader, and barcode scanner as a POS terminal. In this scenario, the thermal printer, credit card reader, and barcode scanner will very likely require installation of drivers to operate properly. You could potentially download and install these drivers from Windows Update when each peripheral is connected, or you could install the driver package from the manufacturer manually on each Surface device, but the ideal solution is to have these drivers already present in Windows so that when the peripheral is connected, it will just work. - -Because SDA is built on MDT, adding the drivers to the SDA deployment share is easy and simple. - ->[!NOTE] ->The drivers must be in the Setup Information File (.inf) format. If the drivers for your device come as an executable file (.exe), they may need to be extracted or installed to procure the .inf file. Some device drivers come packaged with applications, for example an all-in-one printer bundled with scan software. These applications will need to be installed separately from the drivers. - -To import drivers for a peripheral device: - -1. Download the drivers for your device from the manufacturer web site. - -2. Open the MDT Deployment Workbench. - -3. Expand the **Deployment Shares** node and expand the SDA deployment share. - -4. Expand the **Out-of-Box Drivers** folder. - -5. Select the folder of the Surface model for which you would like to include this driver. - -6. Click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1. - -  - - *Figure 1. Provide the location of your driver files* - -7. The Import Drivers Wizard presents a series of steps: - - - **Specify Directory** – Click **Browse** and navigate to the folder where you stored the drivers in Step 1. - - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - - **Progress** – While the drivers are imported, a progress bar is displayed on this page. - - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard. - -8. Repeat Steps 5-7 for each Surface model on which you would like to include this driver. - -9. Close the Deployment Workbench. - -After the drivers are imported for the Surface model, the deployment task sequence will automatically select the drivers during the deployment process and include them in the Windows environment. When you connect your device, such as the barcode scanner in the example, Windows should automatically detect the device and you should be able to use it immediately. - ->[!NOTE] ->You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models. - -## Import additional applications - -As with drivers, the SDA deployment share can be pre-configured with apps like the Surface App and Microsoft Office 365. You can also add applications to the SDA deployment share and configure them to be installed on your Surface devices during deployment of Windows. In the ideal scenario, your Surface devices deployed with the SDA deployment share will include all of the applications needed to be ready for your end users. - -In the previous example for including drivers for a POS system, you would also need to include POS software for processing transactions and recording the input from the barcode scanner and credit card reader. To import an application and prepare it for installation on your Surface devices during Windows deployment: - -1. Download the application installation files or locate the installation media for your application. - -2. Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center. - -3. Open the MDT Deployment Workbench. - -4. Expand the **Deployment Shares** node and expand the SDA deployment share. - -5. Expand the **Applications** folder. - -6. Click **New Application** to start the New Application Wizard, as shown in Figure 2. - -  - - *Figure 2: Provide the command to install your application* - -7. Follow the steps of the New Application Wizard: - - - **Application Type** – Click **Application with Source Files**, and then click **Next**. - - **Details** – Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**. - - **Source** – Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**. - - **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name. - - **Command Details** – Enter the silent command-line instruction, for example `setup.msi /quiet /norestart` - - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - - **Progress** – While the installation files are imported, a progress bar is displayed on this page. - - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard. - -8. Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**. - -9. Click the **Task Sequence** tab to view the steps that are included in the new task sequence. - -10. Select the **Windows Update (Pre-Application Installation)** step, and then click **Add**. - -11. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3. - -  - - *Figure 3. A new Install Application step for Sample POS App* - -12. On the **Properties** tab of the new **Install Application** step, enter **Install - Sample POS App** in the **Name** field, where *Sample POS App* is the name of your app. - -13. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share. - -14. Select your app from the list of applications, and then click **OK**. - -15. Click **OK** to close the task sequence properties. - -16. Close the Deployment Workbench. - -## Work with existing deployment shares - -One of the many benefits of an MDT deployment share is the simplicity of how deployment resources are stored. The MDT deployment share is, at its core, just a standard network file share. All deployment resources, such as Windows images, application installation files, and drivers, are stored in a share that can be browsed with File Explorer, copied and pasted, and moved just like any other file share, provided that you have the necessary permissions. This makes working with deployment resources extremely easy. MDT even allows you to make it easier by allowing you to open multiple deployment shares from the Deployment Workbench and to transfer or copy resources between them. - -This ability gives SDA some extra capabilities when used in an environment with an existing MDT infrastructure. For example, if you install SDA on an isolated server to prepare a PoC and then log on to your production MDT deployment share from the Deployment Workbench on your SDA server, you can copy applications, drivers, task sequences, and other components into the SDA deployment share that is prepared with Surface apps and drivers. With this process, in a very short amount time, you can have a deployment environment ready to deploy your organization’s precise requirements to Surface devices. - -You can also use this capability in reverse. For example, you can copy the Surface drivers, deployment task sequences, and apps directly into a lab or testing environment following a successful PoC. Using these resources, you can immediately begin to integrate Surface deployment into your existing deployment infrastructure. diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index a6686dcf69..b9c11bd90f 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -8,7 +8,7 @@ ms.pagetype: surface, devices ms.sitesec: library ms.localizationpriority: medium author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: scottmca manager: laurawi diff --git a/devices/surface/windows-virtual-desktop-surface.md b/devices/surface/windows-virtual-desktop-surface.md new file mode 100644 index 0000000000..80434c8eb7 --- /dev/null +++ b/devices/surface/windows-virtual-desktop-surface.md @@ -0,0 +1,158 @@ +--- +title: Windows Virtual Desktop on Surface +description: This article explains how Surface devices deliver an ideal end node for Windows Virtual Desktop solutions, providing customers with flexible form factors, Windows 10 modern device security and manageability, and support for persistent, on-demand & just-in-time work scenarios. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 5/20/2020 +ms.reviewer: rohenr +manager: laurawi +audience: itpro +--- + +# Windows Virtual Desktop on Surface + +## Introduction + +Windows Virtual Desktop on Surface lets you run Virtual Desktop Infrastructure (VDI) on a Surface device blurring the lines between the local desktop experience and the virtual desktop where touch, pen, ink, and biometric authentication span both physical and virtual environments. Representing another milestone in the evolution of computing, Windows Virtual Desktop on Surface 1 combines Microsoft 365 - virtualized in the Azure cloud - with the advanced security protections, enterprise-level manageability, and enhanced productivity tools of Windows 10 on Surface. This fusion of premium form factor and Virtual Desktop Infrastructure in Azure provides exceptional customer value across user experiences, portability, security, business continuity, and modern management. + +### Windows Virtual Desktop + +Windows Virtual Desktop (WVD) is a comprehensive desktop and app virtualization service running in the Azure cloud. It’s the only virtual desktop infrastructure that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. With WVD you can quickly deploy and scale Windows desktops and apps on Azure and get built-in security and compliance features. + +### Windows Virtual Desktop partner integrations + +For a list of approved partner providers and independent software vendors for Windows Virtual Desktop, see [Windows Virtual Desktop partner integrations](https://docs.microsoft.com/azure/virtual-desktop/partners). Some partners also provide Virtual Desktop as a Service (DaaS). DaaS frees you from having to maintain your own virtual machines (VMs) by providing a fully managed, turnkey desktop and virtualization service. The ability to deliver customized desktops to users anywhere in the world enables companies to quickly adjust to changing market conditions by spinning up cloud desktops on-demand - when and where they’re needed. + +## Microsoft Surface Devices + +Surface engineering has long set new standards for innovation by going beyond the keyboard and mouse to imagine more natural ways of interacting with devices, whether by touch, voice, ink, or Surface Dial. And with chip-to-cloud integration of Microsoft 365 and the security and manageability of Windows 10 Pro, Surface delivers connected hardware, software, apps, and services the way they were intended. Although it’s possible to run WVD from Windows devices dating back to Windows 7, Microsoft Surface devices provide unique advantages including support for: + +- **Flexible form factors** - like 2-in-1 devices such as Surface Go 2, Surface Pro 7 and Surface Pro X with pen, touch and detachable keyboard. +- **Persistent, on-demand and just-in-time work scenarios** - with offline and on-device access for more productive experiences. +- **Windows 10 modern device security and manageability** - providing the flexibility to be productive anywhere. + +## Flexible form factors and premium user experience + +The Microsoft Surface for Business family comprises a diverse portfolio of form factors including traditional laptops, all-in-one machines, and 2-in-1 devices. Surface devices deliver experiences people love with the choice and flexibility they need in order to work on their terms. + +### The modern virtual desktop endpoint + +Surface 2-in-1 devices, including [Surface Go 2](https://www.microsoft.com/p/surface-go-2) (10.5”), [Surface Pro 7](https://www.microsoft.com/surface/devices/surface-pro-7/) (12”) and [Surface Pro X](https://www.microsoft.com/p/surface-pro-x/) (13”), provide users with the ideal cloud desktop endpoint bringing together the optimal balance of portability, versatility, power, and all-day battery. From site engineers relying on Surface Go 2 in tablet mode to financial advisors attaching Surface Pro 7 to a dock and multiple monitors, 2-in-1 devices deliver the versatility that has come to define the modern workplace. + + Unlike traditional, fixed VDI “terminals”, Surface devices allow users to work from anywhere and enable companies to remain viable and operational during unforeseen events -- from severe weather to public health emergencies. With support for persistent, on-demand and just-in-time scenarios, Surface devices effectively help companies sustain ongoing operations and mitigate risk from disruptive events. Features designed to enhance productivity on Surface 2-in-1 devices include: + +- Vibrant, high resolution displays with 3:2 aspect ratio to get work done. +- Natural inking and multi-touch for more immersive experiences. +- With a wide variety of built-in and third-party accessibility features, Surface devices let you choose how to interact with your device, express ideas, and get work done. +- Far-field mics and high-performance speakers for improved virtual meetings. +- Biometric security including built-in, Windows Hello camera that comes standard on every Surface device. +- Long battery life 2 and fast charging. +- LTE options 3 on modern devices like Surface Pro X and Surface Go 2 for hassle-free and secure connectivity. +- Support for a wide range of peripherals such as standard printers, 3D printers, cameras, credit card readers, barcode scanners, and many others. A large ecosystem of Designed for Surface partners provides licensed and certified Surface accessories. +- Broad range of Device Redirection support. + +### Device Redirection Support + +The Surface-centric productivity experiences listed above become even more compelling in Windows Virtual Desktop environments by taking advantage of device redirection capabilities with Windows 10. Surface provides a broad range of device redirection support, especially when compared to OEM thin clients and fixed terminals, Android, iOS/macOS and Web-based access. The Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients provide the most device redirection capabilities including Input Redirection (keyboard, mouse, pen and touch), Port Redirection (serial and USB) and Other Redirections (cameras, clipboard, local drive/storage, location, microphones, printers, scanners, smart cards and speakers). For a detailed comparison of device redirection support refer to the [device redirection documentation](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#redirection-support). + +### Familiar Desktop Experience + +Not only does running the Windows Desktop Client on Surface devices provide users with a broad set of device redirection capabilities, it lets everyone launch apps in familiar ways — directly from the Start Menu or Search bar. + +### Persistent, on-demand and just-in-time work scenarios + +Windows Virtual Desktop on Surface helps customers meet increasingly complex business and security requirements across industries, employee roles, and work environments. These include: + +- Multi-layered security of access to data and organizational resources. +- Compliance with industry regulations. +- Support for an increasingly elastic workforce. +- Employee-specific needs across a variety of job functions. +- Ability to support specialized, processor-intensive workloads. +- Resilience for sustaining operations during disruptions. + +### Table 1. Windows Virtual Desktop business conversations + +| Security & regulation | Elastic workforce | Work Roles | Special workloads | Business continuity | +| ---------------------------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------- | +| - Financial Services
- Healthcare
- Government | - Merger & acquisition
- Short term employees
- Contractors & partners | - BYOD & mobile
- Customer support/service
- Branch workers | - Design & engineering
- Support for legacy apps
- Software dev & test | - On demand
- Just-in-Time (JIT)
- Work @ Home | + +### Offline and on-device access for more productive experiences + +Traditionally, VDI solutions only work when the endpoint is connected to the internet. But what happens when the internet or power is unavailable for any reason (due to mobility, being on a plane, or power outages, and so on)? + +To support business continuity and keep employees productive, Surface devices can easily augment the virtual desktop experience with offline access to files, Microsoft 365 and third-party applications. Traditional apps like Microsoft Office, available across .x86, x64, Universal Windows Platform, ARM platforms, enable users to stay productive in “offline mode”. Files from the virtual desktop cloud environment can be synced locally on Surface using OneDrive for Business for offline access as well. You can have the confidence that all locally “cached” information is up-to-date and secure. + +In addition to adding support for offline access to apps and files, Surface devices are designed to optimize collaborative experiences like Microsoft Teams “On-Device”. Although some VDI solutions support the use of Teams through a virtual session, users can benefit from the more optimized experience provided by a locally installed instance of Teams. Localizing communications and collaboration apps for multimedia channels like voice, video, live captioning allows organizations to take full advantage of Surface devices’ ability to provide optimized Microsoft 365 experiences. The emergence of Surface artificial intelligence (AI) or “AI-on-device” brings new capabilities to life, such as eye gaze technology that adjusts the appearance of your eyes so the audience sees you looking directly at the camera when communicating via video. + +An alternative to locally installing traditional applications is to take advantage of the latest version of Microsoft Edge, which comes with support for Progressive Web Apps (PWA). PWAs are just websites that are progressively enhanced to function like native apps on supporting platforms. The qualities of a PWA combine the best of the web and native apps by additional features, such as push notifications, background data refresh, offline support, and more. + +### Virtual GPUs + +GPUs are ideal for AI compute and graphics-intensive workloads, helping customers to fuel innovation through scenarios like high-end remote visualization, deep learning, and predictive analytics. However, this isn’t ideal for professionals who need to work remotely or while on the go because varying degrees of internal GPU horsepower are tied to the physical devices, limiting mobility and flexibility. + +To solve for this Azure offers the N-series family of Virtual Machines with NVIDIA GPU capabilities (vGPU). With vGPUs, IT can either share GPU performance across multiple virtual machines, or power demanding workloads by assigning multiple GPUs to a single virtual machine. For Surface this means that no matter what device you’re using, from the highly portable Surface Go 2 to the slim and stylish Surface Laptop 3, your device has access to powerful server-class graphics performance. Surface and vGPUs allow you to combine all the things you love about Surface, to include pen, touch, keyboard, trackpad and PixelSense displays, with graphics capability only available in high performance computing environments. + +Azure N-series brings these capabilities to life on your Surface device allowing you to work in any way you want, wherever you go. [Learn more about Azure N-Series and GPU optimized virtual machine sizes.](https://docs.microsoft.com/azure/virtual-machines/sizes-gpu) + +## Microsoft 365 and Surface + +Even in a virtualized desktop environment, Microsoft 365 and Surface deliver the experiences employees love, the protection organizations demand, and flexibility for teams to work their way. According to Forrester Research: 4 + +- Microsoft 365-powered Surface devices give users up to 5 hours in weekly productivity gains with up to 9 hours saved per week for highly mobile workers, providing organizations with 112 percent ROI on Microsoft 365 with Surface +- 75 percent agree Microsoft 365-powered Surface devices help improve employee satisfaction and retention +- agree that Microsoft 365- powered Surface devices have helped improve employee satisfaction and retention. + +### Security and management + +From chip to cloud, Microsoft 365 and Surface helps organizations stay protected and up to date. +With both Surface hardware and software designed, built, and tested by Microsoft, users can be confident they’re productive and protected by leading technologies from chip to cloud. With increased numbers of users working remotely, protecting corporate data and intellectual property becomes more paramount than ever. Windows Virtual Desktop on Surface is designed around a zero-trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access. + +By maximizing efficiencies from cloud computing, modern management enables IT to better serve the needs of users, stakeholders and customers in an increasingly competitive business environment. For example, you can get Surface devices up-and-running with minimal interaction from your team. Setup is automatic and self-serviced. Updates are quick and painless for both your team and your users. You can manage devices regardless of their physical location. + +Security and management features delivered with Windows Virtual Desktop on Surface include: + +- **Windows Update.** Keeping Windows up to date helps you stay ahead of new security threats. Windows 10 has been engineered from the ground up to be more secure and utilize the latest hardware capabilities to improve security. With a purpose-built UEFI 5 and Windows Update for Business that responds to evolving threats, end-to-end protection is secure and simplified. + +- **Hardware encryption.** Device encryption lets you protect the data on your Surface so it can only be accessed by authorized individuals. All Surface for Business devices feature a discrete Trusted Platform Module (dTPM) that is hardware-protected against intrusion while software uses protected keys and measurements to verify software validity. +- **Windows Defender.** Windows Defender Antivirus brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices. The tool is built in and needs no extra agents to be deployed on-devices or in the VDI environment, simplifying management and optimizing device start up. Windows Defender is built in and needs no extra agents to be deployed on-device or in the VDI environment, simplifying management and optimizing device start up. The true out-of-the-box experience. +- **Removable drives** - A subset of newer Surface devices feature removable SSD drives 6 providing greater control over data retention. +- **Modern authentication -** Microsoft 365 and Surface is a unified platform delivering every Windows security feature (subject to licensing and enablement). All Surface portfolio devices ship with a custom-built camera, designed for Windows Hello for Business providing biometric security that persists seamlessly from on-device to VDI-based experiences. +- **Modern firmware management** -Using Device Firmware Configuration Interface (DFCI),7 IT administrators can remotely disable hardware elements at a firmware level such as mics, USB ports, SD card slots, cameras, and Bluetooth which removes power to the peripheral. Windows Defender Credential Guard uses virtualization-based security so that only privileged system software can access them. +- **Backward and forward compatibility** - Windows 10 devices provide backward and forward compatibility across hardware, software and services. Microsoft has a strong history of maintaining legacy support of hardware, peripherals, software and services while incorporating the latest technologies. Businesses can plan IT investments to have a long useful life. +- **Bridge for legacy Windows 7 workloads** - For solution scenarios dependent on legacy Windows OS environments, enterprises can use VDI instances of Windows 7 running in Azure. This enables support on modern devices like Surface without the risk of relying on older Windows 7 machines that no longer receive the latest security updates. In addition to these “future proofing” benefits, migration of any legacy workloads becomes greatly simplified when modern Windows 10 hardware is already deployed. +- **Zero-Touch Deployment** - Autopilot is the recommended modern management deployment option for Surface devices. Windows Autopilot on Surface is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot on Surface to remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management. + +### Surface devices: Minimizing environmental impacts + +Surface performs life cycle assessments to calculate the environmental impact of devices across key stages of product life cycle enabling Microsoft to minimize these impacts. Each Surface product has an ECO profile that includes details on greenhouse gas emissions, primary energy consumption and material composition data, packaging, recycling, and related criteria. To download profiles for each Surface device, see [ECO Profiles](https://www.microsoft.com/download/details.aspx?id=55974) on the Microsoft Download Center. + +## Summary + +Windows Virtual Desktop on Surface provides organizations with greater flexibility and resilience in meeting the diverse needs of users, stakeholders, and customers. Running Windows Virtual Desktop solutions on Surface devices provides unique advantages over continued reliance on legacy devices. Flexible form factors like Surface Go 2 and Surface Pro 7 connected to the cloud (or offline), enable users to be productive from anywhere, at any time. Whether employees work in persistent, on-demand, or just-in-time scenarios, Windows Virtual Desktop on Surface affords businesses with the versatility to sustain productivity throughout disruptions from public health emergencies or other unforeseen events. Using the built in, multi-layered security and modern manageability of Windows 10, companies can take advantage of an expanding ecosystem of cloud-based services to rapidly deploy and scale Windows desktops and apps. Simply put, Windows Virtual Desktop on Surface delivers critically needed technology to organizations and businesses of all sizes. + +## Learn more + +For more information, see the following resources: + +- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) +- [Surface for Business](https://www.microsoft.com/surface/business) +- [Modernize your workforce with Microsoft Surface](https://boards.microsoft.com/public/prism/103849?token=754435c36d) +- [A guide to Surface Technical Content and Solutions](https://boards.microsoft.com/public/prism/104362/category/90968?token=09e688ec4a) +- [Microsoft zero-trust security](https://www.microsoft.com/security/business/zero-trust) + + +---------- + +1. Windows Virtual Desktop on Surface refers to running Azure Virtual Desktop Infrastructure on a Surface device and is described here as an architectural solution, not a separately available product.
+2. Battery life varies significantly with settings, usage and other factors.
+3. Service availability and performance subject to service provider’s network. Contact your service provider for details, compatibility, pricing, SIM card, and activation. See all specs and frequencies at surface.com.
+4. Forrester Consulting, “A Forrester Total Economic Impact™ Study: Maximizing Your ROI from Microsoft 365 Enterprise with Microsoft Surface,” commissioned by Microsoft, 2018.
+5. Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. Find out more about managing Surface UEFI settings.
+6. Removable SSD is available on Surface Laptop 3 and Surface Pro X. Note that hard drive is not user removable. Hard drive is only removable a by skilled technician following Microsoft instructions.
+7. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. [Find out more](https://docs.microsoft.com/surface/manage-surface-uefi-settings) about managing Surface UEFI settings. + diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md index 7785be89ee..5d7e251bfa 100644 --- a/mdop/appv-v5/app-v-51-supported-configurations.md +++ b/mdop/appv-v5/app-v-51-supported-configurations.md @@ -16,6 +16,8 @@ ms.date: 04/02/2020 # App-V 5.1 Supported Configurations +>Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update) + This topic specifies the requirements to install and run Microsoft Application Virtualization (App-V) 5.1 in your environment. ## App-V Server system requirements @@ -40,48 +42,16 @@ The App-V 5.1 Server does not support the following scenarios: The following table lists the operating systems that are supported for the App-V 5.1 Management server installation. -**Note** -Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). See [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976) for more information. - - - -
| Operating system | -Service Pack | -System architecture | -
|---|---|---|
Microsoft Windows Server 2016 |
-- | 64-bit |
-
Microsoft Windows Server 2012 R2 |
-- | 64-bit |
-
Microsoft Windows Server 2012 |
-- | 64-bit |
-
Microsoft Windows Server 2008 R2 |
-SP1 |
-64-bit |
-
| Operating system | -Service Pack | -System architecture | -
|---|---|---|
Microsoft Windows Server 2016 |
-- | 64-bit |
-
Microsoft Windows Server 2012 R2 |
-- | 64-bit |
-
Microsoft Windows Server 2012 |
-- | 64-bit |
-
Microsoft Windows Server 2008 R2 |
-SP1 |
-64-bit |
-
| Operating system | -Service Pack | -System architecture | -
|---|---|---|
Microsoft Windows Server 2016 |
-- | 64-bit |
-
Microsoft Windows Server 2012 R2 |
-- | 64-bit |
-
Microsoft Windows Server 2012 |
-- | 64-bit |
-
Microsoft Windows Server 2008 R2 |
-SP1 |
-64-bit |
-
| Operating system | -Service Pack | -System architecture | -
|---|---|---|
Microsoft Windows Server 2016 |
-- | 64-bit |
-
Microsoft Windows Server 2012 R2 |
-- | 64-bit |
-
Microsoft Windows Server 2012 |
-- | 64-bit |
-
Microsoft Windows Server 2008 R2 |
-SP1 |
-64-bit |
-
| Operating system | -Service pack | -System architecture | -
|---|---|---|
Microsoft Windows Server 2016 |
-- | 64-bit |
-
Microsoft Windows Server 2012 R2 |
-- | 64-bit |
-
Microsoft Windows Server 2012 |
-- | 64-bit |
-
Microsoft Windows Server 2008 R2 |
-SP1 |
-64-bit |
-
Microsoft Windows 10 |
-- | 32-bit and 64-bit |
-
Microsoft Windows 8.1 |
-- | 32-bit and 64-bit |
-
Microsoft Windows 7 |
-SP1 |
-32-bit and 64-bit |
-
| Database | -Location of Readme.txt file to use | -
|---|---|
Management database |
- ManagementDatabase subfolder |
-
Reporting database |
- ReportingDatabase subfolder |
-
Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.
-Note
You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.
+NoteYou can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.
USE master;
GO
-CREATE MASTER KEY ENCRYPTION BY PASSWORD = &#39;P@55w0rd';
+CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@55w0rd';
GO
CREATE CERTIFICATE tdeCert WITH SUBJECT = 'TDE Certificate';
GO
BACKUP CERTIFICATE tdeCert TO FILE = 'C:\Backup\TDECertificate.cer'
WITH PRIVATE KEY (
FILE = 'C:\Backup\TDECertificateKey.pvk',
- ENCRYPTION BY PASSWORD = &#39;P@55w0rd');
+ ENCRYPTION BY PASSWORD = 'P@55w0rd');
GO| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  |
+ |
+ |
+ |
+ |
+ |
+
| New or updated topic | +Description | +
|---|---|
| Policy CSP | +Added the following new policies in Windows 10, version 2004: +
Updated the following policy in Windows 10, version 2004: + + +Deprecated the following policies in Windows 10, version 2004: + + |
| DevDetail CSP | +Added the following new node: |
| EnterpriseModernAppManagement CSP | +Added the following new node: |
| SUPL CSP | +Added the following new node: |
| Business | -7 |
+ 8 |
| Enterprise | -7 |
+ 8 |
| Education | -7 |
+ 8 |
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 3ab3d8246b..7e84c5ac84 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Bitlocker -description: Policy CSP - Bitlocker +description: Use the Policy configuration service provider (CSP) - Bitlocker to manage encryption of PCs and devices. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 07a7f51c0f..d4c64c584f 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,6 +1,6 @@ --- title: Policy CSP - BITS -description: Policy CSP - BITS +description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,10 +14,6 @@ manager: dansimp # Policy CSP - BITS -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - - The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate. - BITS/BandwidthThrottlingEndTime diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 40e770a691..74dbe86c25 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Bluetooth -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
@@ -412,19 +409,19 @@ The default value is an empty string. For more information, see [ServicesAllowed
78787878diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 64a83cf92a..3f68b4b8cb 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Browser -description: Policy CSP - Browser +description: Learn how to set the Policy CSP - Browser settings for Microsoft Edge, version 45 and earlier. ms.topic: article ms.prod: w10 ms.technology: windows @@ -17,11 +17,6 @@ ms.localizationpriority: medium > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -
- -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). - ## Browser policies @@ -4308,6 +4303,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index a246711f54..d9cc3f9647 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,6 +1,6 @@ --- title: Policy CSP - CredentialProviders -description: Policy CSP - CredentialProviders +description: Learn the policy CSP for credential provider set up, sign in, PIN requests and so on. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -249,6 +249,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index d691487aa2..2e45c2f251 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -205,7 +205,7 @@ Allows or disallows scanning of archives. ADMX Info: - GP English name: *Scan archive files* - GP name: *Scan_DisableArchiveScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -275,7 +275,7 @@ Allows or disallows Windows Defender Behavior Monitoring functionality. ADMX Info: - GP English name: *Turn on behavior monitoring* - GP name: *RealtimeProtection_DisableBehaviorMonitoring* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -346,7 +346,7 @@ ADMX Info: - GP English name: *Join Microsoft MAPS* - GP name: *SpynetReporting* - GP element: *SpynetReporting* -- GP path: *Windows Components/Windows Defender Antivirus/MAPS* +- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* - GP ADMX file name: *WindowsDefender.admx* @@ -416,7 +416,7 @@ Allows or disallows scanning of email. ADMX Info: - GP English name: *Turn on e-mail scanning* - GP name: *Scan_DisableEmailScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -486,7 +486,7 @@ Allows or disallows a full scan of mapped network drives. ADMX Info: - GP English name: *Run full scan on mapped network drives* - GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -556,7 +556,7 @@ Allows or disallows a full scan of removable drives. During a quick scan, remova ADMX Info: - GP English name: *Scan removable drives* - GP name: *Scan_DisableRemovableDriveScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -626,7 +626,7 @@ Allows or disallows Windows Defender IOAVP Protection functionality. ADMX Info: - GP English name: *Scan all downloaded files and attachments* - GP name: *RealtimeProtection_DisableIOAVProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -758,7 +758,7 @@ Allows or disallows Windows Defender On Access Protection functionality. ADMX Info: - GP English name: *Monitor file and program activity on your computer* - GP name: *RealtimeProtection_DisableOnAccessProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -828,7 +828,7 @@ Allows or disallows Windows Defender Realtime Monitoring functionality. ADMX Info: - GP English name: *Turn off real-time protection* - GP name: *DisableRealtimeMonitoring* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -898,7 +898,7 @@ Allows or disallows a scanning of network files. ADMX Info: - GP English name: *Scan network files* - GP name: *Scan_DisableScanningNetworkFiles* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1030,7 +1030,7 @@ Allows or disallows user access to the Windows Defender UI. If disallowed, all W ADMX Info: - GP English name: *Enable headless UI mode* - GP name: *UX_Configuration_UILockdown* -- GP path: *Windows Components/Windows Defender Antivirus/Client Interface* +- GP path: *Windows Components/Microsoft Defender Antivirus/Client Interface* - GP ADMX file name: *WindowsDefender.admx* @@ -1103,7 +1103,7 @@ ADMX Info: - GP English name: *Exclude files and paths from Attack Surface Reduction Rules* - GP name: *ExploitGuard_ASR_ASROnlyExclusions* - GP element: *ExploitGuard_ASR_ASROnlyExclusions* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* - GP ADMX file name: *WindowsDefender.admx* @@ -1171,7 +1171,7 @@ ADMX Info: - GP English name: *Configure Attack Surface Reduction rules* - GP name: *ExploitGuard_ASR_Rules* - GP element: *ExploitGuard_ASR_Rules* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* - GP ADMX file name: *WindowsDefender.admx* @@ -1238,7 +1238,7 @@ ADMX Info: - GP English name: *Specify the maximum percentage of CPU utilization during a scan* - GP name: *Scan_AvgCPULoadFactor* - GP element: *Scan_AvgCPULoadFactor* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1315,7 +1315,7 @@ ADMX Info: - GP English name: *Check for the latest virus and spyware definitions before running a scheduled scan* - GP name: *CheckForSignaturesBeforeRunningScan* - GP element: *CheckForSignaturesBeforeRunningScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1380,11 +1380,11 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. +Added in Windows 10, version 1709. This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. -If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. +If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. -For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. +For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site. > [!NOTE] > This feature requires the "Join Microsoft MAPS" setting enabled in order to function. @@ -1395,7 +1395,7 @@ ADMX Info: - GP English name: *Select cloud protection level* - GP name: *MpEngine_MpCloudBlockLevel* - GP element: *MpCloudBlockLevel* -- GP path: *Windows Components/Windows Defender Antivirus/MpEngine* +- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* - GP ADMX file name: *WindowsDefender.admx* @@ -1459,7 +1459,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. +Added in Windows 10, version 1709. This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. @@ -1474,7 +1474,7 @@ ADMX Info: - GP English name: *Configure extended cloud check* - GP name: *MpEngine_MpBafsExtendedTimeout* - GP element: *MpBafsExtendedTimeout* -- GP path: *Windows Components/Windows Defender Antivirus/MpEngine* +- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* - GP ADMX file name: *WindowsDefender.admx* @@ -1529,7 +1529,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. @@ -1537,7 +1537,7 @@ ADMX Info: - GP English name: *Configure allowed applications* - GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* - GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1600,7 +1600,7 @@ ADMX Info: - GP English name: *Configure protected folders* - GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* - GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1667,7 +1667,7 @@ ADMX Info: - GP English name: *Configure removal of items from Quarantine folder* - GP name: *Quarantine_PurgeItemsAfterDelay* - GP element: *Quarantine_PurgeItemsAfterDelay* -- GP path: *Windows Components/Windows Defender Antivirus/Quarantine* +- GP path: *Windows Components/Microsoft Defender Antivirus/Quarantine* - GP ADMX file name: *WindowsDefender.admx* @@ -1742,7 +1742,7 @@ ADMX Info: - GP English name: *Turn on catch-up full scan* - GP name: *Scan_DisableCatchupFullScan* - GP element: *Scan_DisableCatchupFullScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1822,7 +1822,7 @@ ADMX Info: - GP English name: *Turn on catch-up quick scan* - GP name: *Scan_DisableCatchupQuickScan* - GP element: *Scan_DisableCatchupQuickScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1894,7 +1894,7 @@ ADMX Info: - GP English name: *Configure Controlled folder access* - GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* - GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1971,7 +1971,7 @@ ADMX Info: - GP English name: *Configure low CPU priority for scheduled scans* - GP name: *Scan_LowCpuPriority* - GP element: *Scan_LowCpuPriority* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2049,7 +2049,7 @@ ADMX Info: - GP English name: *Prevent users and apps from accessing dangerous websites* - GP name: *ExploitGuard_EnableNetworkProtection* - GP element: *ExploitGuard_EnableNetworkProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Network Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Network Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -2121,7 +2121,7 @@ ADMX Info: - GP English name: *Path Exclusions* - GP name: *Exclusions_Paths* - GP element: *Exclusions_PathsList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2185,7 +2185,7 @@ ADMX Info: - GP English name: *Extension Exclusions* - GP name: *Exclusions_Extensions* - GP element: *Exclusions_ExtensionsList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2255,7 +2255,7 @@ ADMX Info: - GP English name: *Process Exclusions* - GP name: *Exclusions_Processes* - GP element: *Exclusions_ProcessesList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2385,7 +2385,7 @@ ADMX Info: - GP English name: *Configure monitoring for incoming and outgoing file and program activity* - GP name: *RealtimeProtection_RealtimeScanDirection* - GP element: *RealtimeProtection_RealtimeScanDirection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -2457,7 +2457,7 @@ ADMX Info: - GP English name: *Specify the scan type to use for a scheduled scan* - GP name: *Scan_ScanParameters* - GP element: *Scan_ScanParameters* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2537,7 +2537,7 @@ ADMX Info: - GP English name: *Specify the time for a daily quick scan* - GP name: *Scan_ScheduleQuickScantime* - GP element: *Scan_ScheduleQuickScantime* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2608,7 +2608,7 @@ ADMX Info: - GP English name: *Specify the day of the week to run a scheduled scan* - GP name: *Scan_ScheduleDay* - GP element: *Scan_ScheduleDay* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2695,7 +2695,7 @@ ADMX Info: - GP English name: *Specify the time of day to run a scheduled scan* - GP name: *Scan_ScheduleTime* - GP element: *Scan_ScheduleTime* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2774,7 +2774,7 @@ ADMX Info: - GP English name: *Define the order of sources for downloading definition updates* - GP name: *SignatureUpdate_FallbackOrder* - GP element: *SignatureUpdate_FallbackOrder* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -2853,7 +2853,7 @@ ADMX Info: - GP English name: *Define file shares for downloading definition updates* - GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* - GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -2933,7 +2933,7 @@ ADMX Info: - GP English name: *Specify the interval to check for definition updates* - GP name: *SignatureUpdate_SignatureUpdateInterval* - GP element: *SignatureUpdate_SignatureUpdateInterval* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -3001,7 +3001,7 @@ ADMX Info: - GP English name: *Send file samples when further analysis is required* - GP name: *SubmitSamplesConsent* - GP element: *SubmitSamplesConsent* -- GP path: *Windows Components/Windows Defender Antivirus/MAPS* +- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* - GP ADMX file name: *WindowsDefender.admx* @@ -3092,7 +3092,7 @@ ADMX Info: - GP English name: *Specify threat alert levels at which default action should not be taken when detected* - GP name: *Threats_ThreatSeverityDefaultAction* - GP element: *Threats_ThreatSeverityDefaultActionList* -- GP path: *Windows Components/Windows Defender Antivirus/Threats* +- GP path: *Windows Components/Microsoft Defender Antivirus/Threats* - GP ADMX file name: *WindowsDefender.admx* diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 8a8184ba9a..902ef8e8be 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 06/09/2020 ms.reviewer: manager: dansimp --- @@ -31,6 +31,9 @@ manager: dansimp
+ +**DeliveryOptimization/DOCacheHostSource** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | +8 |
+
| Business | +8 |
+
| Enterprise | +8 |
+
| Education | +8 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. + + + +ADMX Info: +- GP English name: *Cache Server Hostname Source* +- GP name: *CacheHostSource* +- GP element: *CacheHostSource* +- GP path: *Windows Components/Delivery Optimization* +- GP ADMX file name: *DeliveryOptimization.admx* + + + +The following are the supported values: +- 1 = DHCP Option ID. +- 2 = DHCP Option ID Force. + +When DHCP Option ID (1) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value. This policy will be overridden when the [Cache Server Hostname](#deliveryoptimization-docachehost) policy has been set. + +When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value, and will override the Cache Server Hostname policy if it has been set. + +> [!Note] +> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#deliveryoptimization-docachehost) policy value if that value has been set. + + + + + + + + + + +
+ **DeliveryOptimization/DODelayBackgroundDownloadFromHttp** @@ -816,6 +908,68 @@ The following list shows the supported values:
+ +**DeliveryOptimization/DOMaxBackgroundDownloadBandwidth** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | +8 |
+
| Business | +8 |
+
| Enterprise | +8 |
+
| Education | +8 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. + +The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + + + +ADMX Info: +- GP English name: *Maximum Background Download Bandwidth (in KB/s)* +- GP name: *MaxBackgroundDownloadBandwidth* +- GP element: *MaxBackgroundDownloadBandwidth* +- GP path: *Windows Components/Delivery Optimization* +- GP ADMX file name: *DeliveryOptimization.admx* + + + + +
+ **DeliveryOptimization/DOMaxCacheAge** @@ -952,70 +1106,27 @@ ADMX Info: **DeliveryOptimization/DOMaxDownloadBandwidth** -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -1 |
-
| Business | -1 |
-
| Enterprise | -1 |
-
| Education | -1 |
-
-[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -
-> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. +This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptimization-domaxforegrounddownloadbandwidth) and [DOMaxBackgroundDownloadBandwidth](#deliveryoptimization-domaxbackgrounddownloadbandwidth) policies instead. -ADMX Info: -- GP English name: *Maximum Download Bandwidth (in KB/s)* -- GP name: *MaxDownloadBandwidth* -- GP element: *MaxDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* -
-**DeliveryOptimization/DOMaxUploadBandwidth** +**DeliveryOptimization/DOMaxForegroundDownloadBandwidth**
| Pro | - |
+ 8 |
| Business | - |
+ 8 |
| Enterprise | - |
+ 8 |
| Education | - |
+ 8 |
+ +**DeliveryOptimization/DOMaxUploadBandwidth** + + + + + + + + +This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which is not used in commercial deployments. There is no alternate policy to use. + + + + + + +
+ **DeliveryOptimization/DOMinBackgroundQos** @@ -1901,12 +2027,14 @@ This policy allows an IT Admin to define the following: Footnotes: -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in Windows 10, version 1903. +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index f34ee27dd5..00ab26dd22 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - DeviceGuard -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 4ced8ce8ab..f1c54d540a 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -14,9 +14,6 @@ ms.localizationpriority: medium # Policy CSP - DeviceInstallation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 08eaddf872..c1e5dd8c30 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - DmaGuard -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
@@ -76,7 +73,7 @@ manager: dansimp -This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing. Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 825ac41a15..df04232bea 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Education -description: Policy CSP - Education +description: Control graphing functionality in the Windows Calculator app. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Education -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
@@ -52,23 +49,23 @@ manager: dansimp
88888diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 9263511ddf..6f8eb9a799 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -102,6 +102,9 @@ manager: dansimp
+ +**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | +3 |
+
| Business | +3 |
+
| Enterprise | +3 |
+
| Education | +3 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Network security: Allow Local System to use computer identity for NTLM. + +When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + +When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.) + + + +GP Info: +- GP English name: *Network security: Allow Local System to use computer identity for NTLM* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + +Valid values: +- 0 - Disabled +- 1 - Enabled (Allow Local System to use computer identity for NTLM.) + + + + +
+ **LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** @@ -2385,6 +2458,74 @@ GP Info:
+ +**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | +4 |
+
| Business | +4 |
+
| Enterprise | +4 |
+
| Education | +4 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) clients. + +This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. +- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. + + + +GP Info: +- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + +
+ **LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers** diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index aefb521407..b96fcd749d 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Messaging -description: Policy CSP - Messaging +description: Enable, and disable, text message back up and restore as well as Messaging Everywhere by using the Policy CSP for messaging. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index 598cad17d2..f896724225 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -1,6 +1,6 @@ --- title: Policy CSP - MSSecurityGuide -description: Policy CSP - MSSecurityGuide +description: See how this ADMX-backed policy requires a special SyncML format to enable or disable. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 3d7afccb49..601cfb8378 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -228,7 +228,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff -Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. +Integer value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. @@ -468,7 +468,7 @@ ADMX Info: -Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. +Integer value that tells the client to accept the configured list of proxies and not try to detect other work proxies. diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 8433af94b3..2d4e4b33d0 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Notifications -description: Policy CSP - Notifications +description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index e5adaec521..f0f51bdb9f 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Power -description: Policy CSP - Power +description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 8053b57d73..1707ca7bfc 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -8,7 +8,6 @@ ms.technology: windows author: manikadhiman ms.localizationpriority: medium ms.date: 04/07/2020 - ms.reviewer: manager: dansimp --- @@ -16,7 +15,6 @@ manager: dansimp # Policy CSP - RestrictedGroups -
@@ -86,7 +84,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > |----------|----------|----------|----------| > | 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | -Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. +Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution. ```xml
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. | +| Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`
`
This is useful when you want to ensure a certain local group always has a well-known SID as member. | +| Windows 10, version 2004 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate. | + +
@@ -166,5 +176,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 0a4dcd146d..46499d7701 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Security -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index c5e74893fc..17a91ff2d8 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Start -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 7cb986c7fd..a221c321b1 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,6 +1,6 @@ --- title: Policy CSP - System -description: Policy CSP - System +description: Learn policy settings that determines whether users can access the Insider build controls in the advanced options for Windows Update. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 8a69418c47..7d502e9af7 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - TaskManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 7786a5eb5c..79e47c91f8 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -16,10 +16,6 @@ manager: dansimp -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
@@ -815,19 +811,19 @@ This setting supports a range of values between 0 and 1.
888888888888+ +**Update/TargetReleaseVersion** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | +4 |
+
| Business | +4 |
+
| Enterprise | +4 |
+
| Education | +4 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/). + + +ADMX Info: +- GP English name: *Select the target Feature Update version* +- GP name: *TargetReleaseVersion* +- GP element: *TargetReleaseVersionId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Value type is a string containing Windows 10 version number. For example, 1809, 1903. + + + + + + + + + +
+ **Update/UpdateNotificationLevel** @@ -4371,11 +4442,13 @@ ADMX Info: Footnotes: -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in Windows 10, version 1903. +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 25159c3271..ef56c8dd9a 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1260,6 +1260,11 @@ GP Info: - GP English name: *Increase scheduling priority* - GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* +> [!Warning] +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> +> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. + diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 4db39b31f2..86ea14fd52 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - WindowsDefenderSecurityCenter -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md index d6936c3bf9..0a0040f58c 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 07/18/2019 +ms.date: 05/11/2020 --- # Policy CSPs supported by HoloLens 2 @@ -59,9 +59,19 @@ ms.date: 07/18/2019 - [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps) - [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps) - [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#privacy-letappsaccessgazeinput) 8 +- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-userincontroloftheseapps) 8 - [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera) - [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation) - [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone) +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 - [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) - [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) - [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) @@ -83,6 +93,18 @@ ms.date: 07/18/2019 - [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) - [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) - [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) +- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8 + +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. ## Related topics diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-core.md b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md index c37cdb1b86..c43363b357 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-iot-core.md +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md @@ -31,6 +31,7 @@ ms.date: 09/16/2019 - [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) - [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) +- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) - [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) - [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) @@ -38,10 +39,12 @@ ms.date: 09/16/2019 - [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) - [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) - [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) - [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) - [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated) - [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) - [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) - [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) @@ -50,7 +53,7 @@ ms.date: 09/16/2019 - [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) - [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) - [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated) - [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) - [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md index f0837806da..617be22113 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md @@ -30,6 +30,7 @@ ms.date: 07/18/2019 - [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) - [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) +- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) - [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) - [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) @@ -37,10 +38,12 @@ ms.date: 07/18/2019 - [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) - [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) - [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) - [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) - [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated) - [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) - [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) - [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) @@ -49,7 +52,7 @@ ms.date: 07/18/2019 - [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) - [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) - [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated) - [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) - [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 8a9c1a34dc..7a522ee312 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 05/21/2019 +ms.date: 06/03/2020 --- # Policy DDF file @@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can view various Policy DDF files by clicking the following links: +- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) - [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) - [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) - [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) @@ -31,7 +32,7 @@ You can view various Policy DDF files by clicking the following links: You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 1903. +The XML below is the DDF for Windows 10, version 2004. ```xml @@ -57,7 +58,7 @@ The XML below is the DDF for Windows 10, version 1903.
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
- - - - - - - - - +--- +title: Best practice recommendations for Windows To Go (Windows 10) +description: Best practice recommendations for Windows To Go +ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: best practices, USB, device, boot +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Best practice recommendations for Windows To Go + + +**Applies to** + +- Windows 10 + +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +The following are the best practice recommendations for using Windows To Go: + +- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. +- Do not insert the Windows To Go drive into a running computer. +- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. +- If available, use a USB 3.0 port with Windows To Go. +- Do not install non-Microsoft core USB drivers on Windows To Go. +- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. + +Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. + +## More information + + +[Windows To Go: feature overview](windows-to-go-overview.md)
+[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+ + + + + + + + + diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index d57413d357..8724e8278a 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -23,7 +23,7 @@ ms.topic: article - Windows 10 > [!IMPORTANT] -> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index a9f0103eb9..c896c72fde 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 905e495858..952f743607 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index a1156b67f9..acf11aa0ee 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -1,144 +1,132 @@ ---- -title: Windows 10 deployment considerations (Windows 10) -description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. -ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade, update, in-place -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: plan -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Windows 10 deployment considerations - - -**Applies to** - -- Windows 10 - -There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. - -For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary. - -Windows 10 also introduces two additional scenarios that organizations should consider: - -- **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications. - -- **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device. - - Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process. - - So how do you choose? At a high level: - -
| Consider ... | -For these scenarios | -
|---|---|
| In-place upgrade | -
|
-
| Traditional wipe-and-load | -
|
-
| Dynamic provisioning | -
|
-
| Consider ... | +For these scenarios | +
|---|---|
| In-place upgrade | +
|
+
| Traditional wipe-and-load | +
|
+
| Dynamic provisioning | +
|
+
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) + + + + + + + + + diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 5a34226e0f..fba2f6ef1d 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -26,7 +26,9 @@ The features described below are no longer being actively developed, and might b |Feature | Details and mitigation | Announced in version | | ----------- | --------------------- | ---- | -| Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 | +| Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | +| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | +| Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index b5615f4412..7ca82acf70 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -26,38 +26,24 @@ There are specific infrastructure requirements to deploy and manage Windows 10 ## High-level requirements - For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage. For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.) ## Deployment tools - -A new version of the Assessment and Deployment Toolkit (ADK) has been released to support Windows 10. This new version, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=526740), is required for Windows 10; you should not use earlier versions of the ADK to deploy Windows 10. It also supports the deployment of Windows 7, Windows 8, and Windows 8.1. +The latest version of the Windows Assessment and Deployment Toolkit (ADK) is available for download [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more). -Microsoft Deployment Toolkit 2013 Update 1, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades. +The latest version of the Microsoft Deployment Toolkit (MDT) is available for download [here](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). -For System Center Configuration Manager, Windows 10 support is offered with various releases: - -| Release | Windows 10 management? | Windows 10 deployment? | -|---------------------------------------------|------------------------|------------------------------------------------| -| System Center Configuration Manager 2007 | Yes, with a hotfix | No | -| System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 | -| System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 | - - -> [!NOTE] -> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management. - +For Configuration Manager, Windows 10 version specific support is offered with [various releases](https://docs.microsoft.com/mem/configmgr/core/plan-design/configs/support-for-windows-10). For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Management tools - In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store. No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features. @@ -72,8 +58,6 @@ Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows | Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) | | User Experience Virtualization (UE-V) | UE-V 2.1 SP1 | - - For more information, see the [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=625090). For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=625084) for more information. @@ -81,20 +65,17 @@ For devices you manage with mobile device management (MDM) solutions such as Mic Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions: 1. Select the **Options** node, and then click **Products and Classifications**. - 2. In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**. - 3. From the **Synchronizations** node, right-click and choose **Synchronize Now**.  -Figure 1. WSUS product list with Windows 10 choices +WSUS product list with Windows 10 choices Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](https://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.) ## Activation - Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers: | Product | Required update | @@ -104,26 +85,21 @@ Windows 10 volume license editions of Windows 10 will continue to support all | Windows Server 2012 and Windows 8 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) | | Windows Server 2008 R2 and Windows 7 | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821) | - - Also see: [Windows Server 2016 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2016/10/19/windows-server-2016-volume-activation-tips/) Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys: - Sign into the [Volume Licensing Service Center (VLSC)](https://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights. - - For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key. - - For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.) -Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. +Note that Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. ## Related topics - -[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) -
[Windows 10 deployment considerations](windows-10-deployment-considerations.md) -
[Windows 10 compatibility](windows-10-compatibility.md) +[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+[Windows 10 compatibility](windows-10-compatibility.md)
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 1c93c41731..b79a9e0b9d 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -27,6 +27,9 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Removed in version | | ----------- | --------------------- | ------ | +| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | +| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | +| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 | | PNRP APIs| The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We are planning to complete the removal process by removing the corresponding APIs. | 1909 | | Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 | | Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | 1903 | @@ -36,7 +39,7 @@ The following features and functionalities have been removed from the installed |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 | |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 | |Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 | -|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 | +|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 | |People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 | |Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 | |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 | diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index d888468cfe..2a8889f1ab 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following list identifies some commonly asked questions about Windows To Go. diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index 23fefc02cd..c978295e6e 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -23,7 +23,7 @@ ms.topic: article - Windows 10 > [!IMPORTANT] -> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 3d5adb42f4..bd9b8af4d0 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -1,13 +1,12 @@ --- title: Windows 10 Pro in S mode -description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? +description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode ms.mktglfcycl: deploy ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 12/05/2018 ms.reviewer: manager: laurawi ms.audience: itpro @@ -18,33 +17,35 @@ ms.topic: article --- # Windows 10 in S mode - What is it? -S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. + +S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.  ## S mode key features + **Microsoft-verified security** -With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. +With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. **Performance that lasts** -Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. +Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. **Choice and flexibility** -Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.  ## Deployment -Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. +Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](windows-autopilot/windows-autopilot.md). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. ## Keep line of business apps functioning with Desktop Bridge -Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. +Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. ## Repackage Win32 apps into the MSIX format @@ -54,6 +55,6 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem ## Related links - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) -- [S mode devices](https://www.microsoft.com/windows/view-all-devices) +- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) - [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) - [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md new file mode 100644 index 0000000000..da1db27ff2 --- /dev/null +++ b/windows/deployment/update/create-deployment-plan.md @@ -0,0 +1,140 @@ +--- +title: Create a deployment plan +description: Devise the number of deployment rings you need and how you want to populate them +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Create a deployment plan + +A service management mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once this process is used for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity. + +When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices, and we’ve found that ring-based deployment is a methodology that works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades--they are simply a method by which to separate devices into a deployment timeline. + +At the highest level, each “ring” comprise a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. + +A common ring structure comprises three deployment groups: + +- Preview: Planning and development +- Limited: Pilot and validation +- Broad: Wide deployment + +> [!NOTE] +> Organizations often use different names for their “rings," for example: +> - First > Fast > Broad +> - Canaries > Early Adopters > Users +> - Preview > Broad > Critical + + +## How many rings should I have? + +There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large +organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization. + +## Advancing between rings + +There are basically two strategies for moving deployments from one ring to the next. One is service based, the other project based. + +- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution. +- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring. + +When it comes to deployments, having manual steps in the process usually impedes update velocity, so a "red button" strategy is better when that is your goal. + +## Preview ring + +The purpose of the Preview ring is to evaluate the new features of the update. This is specifically *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next, +generally IT administrators. Ultimately, this is the time the design and planning work happens so that when the public update is actually shipped, you can have greater confidence in the update. + +> [!NOTE] +> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases. + + +### Who goes in the Preview ring? + +The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these are IT pros, and perhaps a few people in the business organization. + +During your plan and prepare phases, these are the activities you should focus on: + +- Work with Windows Insider Preview builds. +- Identify the features and functionality your organization can or wants to use. +- Establish who will use the features and how they will benefit. +- Understand why you are putting the update out. +- Plan for usage feedback. + +Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release. + +> [!IMPORTANT] +> If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds: +> - **Manage Preview Builds: 2 - Enable preview builds** +> • Under **Branch Readiness Level**, select **When Preview Builds and Feature Updates are Received: 4--Windows Insider Program Slow** + +## Limited ring + +The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback is generated to enable the decision to move forward to broader deployment. Desktop +Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment. + +### Who goes in the Limited ring? + +The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network. + + +During your pilot and validate phases, these are the activities you should focus on: + +- Deploy new innovations. +- Assess and act if issues are encountered. +- Move forward unless blocked. + +When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring, because your Limited ring represents your organization across the board, and when you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. + +## Broad deployment + +Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network. + +### Who goes in the Broad deployment ring? + +In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly. + +> [!NOTE] +> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature +> updates to mission critical devices. + +During the broad deployment phase, these are the activities you should focus on: + +- Deploy to all devices in the organization. +- Work through any final unusual issues that were not detected in your Limited ring. + + +## Ring deployment planning + +Previously, we have provided methods for analyzing your deployments, but these have generally been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics. + + +[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to +make informed decisions about the readiness of your Windows devices. + +In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest +feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. + +> [!IMPORTANT] +> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity. + +### Deployment plan options + +There are two ways to implement a ring deployment plan, depending on how you manage your devices: + +- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/about-deployment-plans). +- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide). + +For more about Desktop Analytics, see these articles: + +- [How to set up Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/set-up) +- [Tutorial: Deploy Windows 10 to Pilot](https://docs.microsoft.com/mem/configmgr/desktop-analytics/tutorial-windows10) +- [Desktop Analytics documentation](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) +- [Intune deployment planning, design, and implementation guide](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide) + diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md new file mode 100644 index 0000000000..202b4531b9 --- /dev/null +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -0,0 +1,20 @@ +--- +title: Deploy Windows 10 updates with Configuration Manager (Windows 10) +description: Deploy Windows 10 updates with Configuration Manager +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy Windows 10 updates with Configuration Manager + +**Applies to** + +- Windows 10 + +See the Microsoft Endpoint Configuration Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md new file mode 100644 index 0000000000..8737d452c6 --- /dev/null +++ b/windows/deployment/update/deploy-updates-intune.md @@ -0,0 +1,20 @@ +--- +title: Deploy updates with Intune +description: Deploy Windows 10 updates with Intune +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy Windows 10 updates with Intune + +**Applies to** + +- Windows 10 + +See the Microsoft Intune [documentation](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md new file mode 100644 index 0000000000..af6fe156e8 --- /dev/null +++ b/windows/deployment/update/eval-infra-tools.md @@ -0,0 +1,71 @@ +--- +title: Evaluate infrastructure and tools +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Evaluate infrastructure and tools + +Before you deploy an update, it's best to assess your deployment infrastucture (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness. + +## Infrastructure + +Do your deployment tools need updates? + +- If you use Configuration Manager, is it on the Current Branch with the latest release installed. This ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months. +- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated. +- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update. + +Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so. + +## Device settings + +Make sure your security basline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed. + +### Security baseline + +Keep security baslines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly. + +- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them. +- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy. + +### Configuration updates + +There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately. + +- **Windows 10 Administrative templates**: Each Windows 10 feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591). +- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. + + +## Define operational readiness criteria + +When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. To achieve this, work with your operations and support team to define acceptable trends and what documents or processes require updating: + +- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported. +- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported. +- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update. +- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update. + +Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get get this information so you can gain the right insight. + +## Tasks + +Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks: + +- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined. +- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update. +- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update. +- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed. +- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure? +- **Define operational update plan**: Detail how your operational services and processes must change to support the update. diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md new file mode 100644 index 0000000000..82a5957f04 --- /dev/null +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -0,0 +1,107 @@ +--- +title: Windows 10 updates, channels, and tools +description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows 10 updates, channels, and tools + +## How Windows updates work + +There are four phases to the Windows update process: + +- **Scan:** A device checks the Microsoft Update server, Windows Update service, or your Windows Server Update Services (WSUS) endpoint at random intervals to see if any updates have been added since the last time updates were searched, and then evaluates whether the update is appropriate by checking the policies that have been set up by the +administrator. This process is invisible to the user. +- **Download:** Once the device determines that an update is available, it begins downloading the update. The download process is also invisible to the user. With feature updates, download happens in multiple +sequential phases. +- **Install:** After the update is downloaded, depending on the device’s Windows Update settings, the update is installed on the system. +- **Commit and restart:** Once installed, the device usually (but not always) must be restarted in order to complete the installation and begin using the update. Before that happens, a device is still running the previous +version of the software. + +## Types of updates + +We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*. + +- **Feature updates:** Released twice per year, around March and September. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. +- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. +- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). +- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. +- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. + + + +## Servicing channels + +Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service" which conceives of deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. + +The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization. + + +### Semi-annual Channel + +In the Semi-annual Channel, feature updates are available as soon as Microsoft releases them, twice per year. As long as a device isn't set to defer feature updates, any device using the Semi-annual Channel will install a feature update as soon as it's released. If you use Windows Update for Business, the Semi-annual Channel provides three months of additional total deployment time before being required to update to the next release.{IS THIS STILL TRUE?} + +> [!NOTE] +> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607. + +### Windows Insider Program for Business + +Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: + +- Windows Insider Fast +- Windows Insider Slow +- Windows Insider Release Preview + +We recommend that you use the Windows Insider Release Preview channel for validation activities. + + +### Long-term Servicing Channel + +The **Long Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + +The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. + + +| Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel | +| --- | --- | --- | --- | +| Home | | | | +| Pro |  |  | | +| Enterprise |  | | | +| Enterprise LTSB |  | | | +| Pro Education |  |  | | +| Education |  |  | | + +## Servicing tools + +### Tools for on-premises update delivery + +Windows Server Update Services (WSUS): you set up a WSUS server, which downloads updates in bulk from Microsoft. Your individual devices then connect to your server to install their updates from there. + +You can set up, control, and manage the server and update process with a number of tools: + +- A standalone Windows Server Update Services server operated directly +- [Configuration Manager](deploy-updates-configmgr.md) +- Non-Microsoft tools + +For more information, see [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). + +### Tools for cloud-based update delivery + +Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of a number of tools: + +- [Group Policy Management Console](waas-wufb-group-policy.md) (Gpmc.msc) +- [Microsoft Intune](waas-wufb-intune.md) +- Non-Microsoft MDM tools + +### Hybrid scenarios + +It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery. + diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 7284fecba7..e427a2f861 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -80,7 +80,7 @@ Windows Update takes the following sets of actions when it runs a scan. #### Starts the scan for updates When users start scanning in Windows Update through the Settings panel, the following occurs: -- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. +- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the WU engine to scan for updates. - "Agent" messages: queueing the scan, then actually starting the work: - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. - Windows Update uses the thread ID filtering to concentrate on one particular task. diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png new file mode 100644 index 0000000000..a13d5393e6 Binary files /dev/null and b/windows/deployment/update/images/DO-absolute-bandwidth.png differ diff --git a/windows/deployment/update/images/annual-calendar.png b/windows/deployment/update/images/annual-calendar.png new file mode 100644 index 0000000000..1ff15bed76 Binary files /dev/null and b/windows/deployment/update/images/annual-calendar.png differ diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png new file mode 100644 index 0000000000..35aec71626 Binary files /dev/null and b/windows/deployment/update/images/rapid-calendar.png differ diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index c981469bef..8af36e4df1 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -42,7 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https  -The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. +The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. |To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) | diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md new file mode 100644 index 0000000000..a2ff53df19 --- /dev/null +++ b/windows/deployment/update/plan-define-readiness.md @@ -0,0 +1,115 @@ +--- +title: Define readiness criteria +ms.reviewer: +manager: laurawi +description: Identify important roles and figure out how to classify apps +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Define readiness criteria + +## Figure out roles and personnel + +Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment. + +### Process manager + +The process manager leads the update deployment process and has the authority to push the process forward--or halt it if necessary. They also have responsibilities in organizing these activities: + + +|Compatibility workstream |Deployment |Capability and modernization | +|---------|---------|---------| +|[Assigning application priority](#set-criteria-for-rating-apps) | Reviewing infrastructure requirements | Determining infrastructure changes | +|Application assessment | Validating infrastructure against requirements | Determining configuration changes | +|Device assessment | Creating infrastructure update plan | Create capability proposal | + +It's the process manager's role to collect reports on remediation efforts, escalate failures, and to decide whether your environment is ready for pilot deployment and then broad deployment. + + +This table sketches out one view of the other roles, with their responsibilities, relevant skills, and the deployment phases where they are needed: + + +|Role |Responsibilities |Skills |Active phases | +|---------|---------|---------|---------| +|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment | +|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment | +|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare | +|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment | +|Operations | Ensure that support is available for current Windows version. Provide post-deployment support, including user communication and rollbacks. | Platform security | Prepare, pilot deployment, broad deployment | +|Security | Review and approve the security baseline and tools | Platform security | Prepare, pilot deployment | +|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment | + + + + + + +## Set criteria for rating apps + +Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise. + +In the Prepare phase, you'll apply the criteria you define now to every app in your organization. + +Here's a suggested classification scheme: + + +|Classification |Definition| +|---------|---------| +|Critical | The most vital applications that handle core business activities and processes. If these applications were not available, the business, or a business unit, couldn't function at all. | +|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. | +|Not important | There is no impact on the business if these apps are not available for a while. | + +Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority. + +Here's an example priority rating system; of course the specifics could vary for your organization: + + +|Priority |Definition | +|---------|---------| +|1 | Any issues or risks identified must be investigated and resolved as soon as possible. | +|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. | +|3 | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. | +|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. | + +Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle. + +Here's an example: + + +|Severity |Effect | +|---------|---------| +|1 | Work stoppage or loss of revenue | +|2 | Productivity loss for a business unit | +|3 | Productivity loss for individual users | +|4 | Minimal impact on users | + +## Example: a large financial corporation + +Using the suggested scheme, a financial corporation might classify their apps like this: + + +|App |Classification | +|---------|---------| +|Credit processing app | Critical | +|Frontline customer service app | Critical | +|PDF viewer | Important | +|Image processing app | Not important | + +Further, they might combine this classification with severity and priority rankings like this: + + +|Classification |Severity |Priority |Response | +|---------|---------|---------|---------| +|Critical | 1 or 2 | 1 or 2 | For 1, stop deployment until resolved; for 2, stop deployment for affected devices or users only. | +|Important | 3 or 4 | 3 or 4 | For 3, continue deployment, even for affected devices, as long as there is workaround guidance. | +|Not important | 4 | 4 | Continue deployment for all devices. | + diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md new file mode 100644 index 0000000000..b7e1707a7d --- /dev/null +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -0,0 +1,76 @@ +--- +title: Determine application readiness +ms.reviewer: +manager: laurawi +description: How to test your apps to know which need attention prior to deploying an update +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Determine application readiness + +Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps] with respect to their criticality in your organization. + +## Validation methods + +You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment. + + +|Validation method |Description | +|---------|---------| +|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. | +|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating. | +|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. | +|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. | +|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and aren’t handled by enterprise application distribution. | + +Combining the various validation methods with the app classifications you've previously established might look like this: + + +|Validation method |Critical apps |Important apps |Not important apps | +|---------|---------|---------|---------| +|Full regression | x | | | +|Smoke testing | | x | | +|Automated testing | x | x | x | +|Test in pilot | x | x | x | + + +### Identify users + +Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include: + +- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in? +- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work? +- **Technical ability**: Do the users have enough technical competence to provide useful feedback from various test scenarios? + +You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users. + +### Identify and set up devices for validation + +In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment. + +There is more than one way to choose devices for app validation: + +- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles. +- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems. +- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices. + + +### Desktop Analytics + +Desktop Analytics can make all of the tasks discussed in this article significantly easier: + +- Creating and maintaining an application and device inventory +- Assign owners to applications for testing +- Automatically apply your app classifications (critical, important, not important) +- Automatically identify application compatibility risks and provide recommendations for reducing those risks + +For more information, see [What is Desktop Analytics?](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md new file mode 100644 index 0000000000..76cbb5eea0 --- /dev/null +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -0,0 +1,158 @@ +--- +title: Prepare to deploy Windows +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Prepare to deploy Windows + +Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows 10. The planning phase will have left you with these useful items: + +- A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md) +- A plan for [testing and validating](plan-determine-app-readiness.md) apps +- An assessment of your [deployment infrastructure](eval-infra-tools.md) and definitions for operational readiness +- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use + +Now you're ready to actually start making changes in your environment to get ready to deploy. + +## Prepare infrastructure and environment + +- Deploy site server updates for Configuration Manager. +- Update non-Microsoft security tools like security agents or servers. +- Update non-Microsoft management tools like data loss prevention agents. + +Your infrastructure probably includes many different components and tools. You’ll need to ensure your environment isn’t affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps: + +1. Review all of the infrastructure changes that you’ve identified in your plan. It’s important to understand the changes that need to be made and to detail how to implement them. This prevents problems later on. +2. Validate your changes. You’ll validate the changes for your infrastructure’s components and tools, to help you understand how your changes could affect your production environment. +3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure. + + +You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. Consider what you’ll need to do for the various settings and policies that currently underpin the environment. For example: + +- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security related configurations. +- Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to. +However, your configuration will consist of many different settings and policies. It’s important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isn’t affected adversely because of changes you make. For example: + +1. Review new security settings. Your security team will review the new security settings, to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment. +2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant. +3. Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues. + + +## Prepare applications and devices + +You've previously decided on which validation methods you want to use to validate apps in the upcoming pilot deployment phase. Now is a good time to make sure that individual devices are ready and able to install the next update without difficulty. + +### Ensure updates are available + +Enable update services on devices. Ensure that every device is running all the services Windows Update relies on. Sometimes users or even malware can disable the services Windows Update requires to work correctly. Make sure the following services are running: + +- Background Intelligent Transfer Service +- Background Tasks Infrastructure Service +- BranchCache (if you use this feature for update deployment) +- ConfigMgr Task Sequence Agent (if you use Configuration Manager to deploy updates) +- Cryptographic Services +- DCOM Server Process Launcher +- Device Install +- Delivery Optimization +- Device Setup Manager +- License Manager +- Microsoft Account Sign-in Assistant +- Microsoft Software Shadow Copy Provider +- Remote Procedure Call (RPC) +- Remote Procedure Call (RPC) Locator +- RPC Endpoint Mapper +- Service Control Manager +- Task Scheduler +- Token Broker +- Update Orchestrator Service +- Volume Shadow Copy Service +- Windows Automatic Update Service +- Windows Backup +- Windows Defender Firewall +- Windows Management Instrumentation +- Windows Management Service +- Windows Module Installer +- Windows Push Notification +- Windows Security Center Service +- Windows Time Service +- Windows Update +- Windows Update Medic Service + +You can check these services manually by using Services.msc, or by using PowerShell scripts, Desktop Analytics, or other methods. + +### Network configuration + +Ensure that devices can reach necessary Windows Update endpoints through the firewall. + +### Optimize download bandwidth +Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network sharing or Microsoft Connected Cache. + +### Address unhealthy devices + +In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems. + +- **Low disk space:** Quality updates require a minimum of two GB to successfully install. Feature updates require between 8 and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve this by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files: +- C:\Windows\temp +- C:\Windows\cbstemp (though this file might be necessary to investigate update failures) +- C:\Windows\WindowsUpdate.log (though this file might be necessary to investigate update failures) +- C:\Windows.Old (these files should automatically clean up after 10 days or might ask the device user for permission to clean up sooner when constrained for disk space) + +You can also create and run scripts to perform additional cleanup actions on devices, with administrative rights, or use Group Policy settings. + +- Clean up the Windows Store Cache by running C:\Windows\sytem32\wsreset.exe +- Optimize the WinSxS folder on the client machine by using **Dism.exe /online /Cleanup-Image /StartComponentCleanup** +- Compact the operating system by running **Compact.exe /CompactOS:always** +- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance. +- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](https://docs.microsoft.com/onedrive/use-group-policy) for more information. +- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates: + +``` +net stop wuauserv +net stop cryptSvc +net stop bits +net stop msiserver +ren C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old +net start wuauserv +net start cryptSvc +net start bits +net start msiserver +``` + +- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also +check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues. +- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component Based Store from another source. You can do this with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system). + + + + + +## Prepare capability + +In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities: + +- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates. +- Validate new changes to understand how they affect the wider environment. +- Remediate any potential problems that have been identified through validation. + +## Prepare users + +Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning. + +You can employ a variety of measures to achieve this, for example: + +- Send overview email about the update and how it will be deployed to the entire organization. +- Send personalized emails to users about the update with specific details. +- Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need. +- Provide the ability to voluntarily update at users’ convenience. +- Inform users of a mandatory installation date when the update will be installed on all devices. + + diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 55e6f693d9..311272e93b 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -1,5 +1,5 @@ --- -title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10) +title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance (Windows 10) ms.reviewer: manager: laurawi description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network. @@ -18,8 +18,8 @@ ms.topic: article # Monitor Windows Updates with Update Compliance > [!IMPORTANT] -> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Windows Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020. -> * The retirement of Windows Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Microsoft Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020. +> * The retirement of Microsoft Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). > * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index b3a4ca35a7..f17250eec3 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -35,7 +35,7 @@ The different issues are broken down by Device Issues and Update Issues: * **Cancelled**: This issue occurs when a user cancels the update process. * **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. * **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. -* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. +* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 7 days. Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 47ea2040ed..b61cef1778 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -17,7 +17,7 @@ ms.topic: article # Use Update Compliance -In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). +In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). Update Compliance: @@ -50,7 +50,7 @@ When you select this tile, you will be redirected to the Update Compliance works Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. -* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. +* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Microsoft Defender Antivirus. The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md new file mode 100644 index 0000000000..dbf94c9677 --- /dev/null +++ b/windows/deployment/update/update-policies.md @@ -0,0 +1,204 @@ +--- +title: Policies for update compliance, activity, and end-user experience +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Policies for update compliance, activity, and end-user experience +Keeping devices up to date is the best way to keep them working smoothly and securely. + +## Deadlines for update compliance + +You can control how strictly devices must reliably keep to your desired update schedule by using update deadline policies. Windows components adapt based on these deadlines. Also, they can make tradeoffs between user experience and velocity in order to meet your desired update deadlines. For example, they can prioritize user experience well before the +deadline approaches, and then prioritize velocity as the deadline nears, while still affording the user some control. + +### Deadlines + +Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709 +and late, a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**. + +The older policies started enforcing deadlines once the device reached a “restart pending” state for +an update. The new policy starts the countdown for the update installation deadline from when the +update is published plus any deferral. In addition, this policy includes a configurable grace period and the option +to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic +restarts for maximum update velocity). + +> [!IMPORTANT] +> If you use the new **Specify deadlines for automatic updates and restarts** setting in Windows 10, +> version 1903, you must disable the [older deadline policies](wufb-compliancedeadlines.md#prior-to-windows-10-version-1709) because they could conflict. + +We recommend you set deadlines as follows: +- Quality update deadline, in days: 3 +- Feature update deadline, in days: 7 +- +Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded +later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you +do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you +have kiosks or digital signage. + +While three days for quality updates and seven days for feature updates is our recommendation, you might decide +you want more or less, depending on your organization and its requirements, and this policy is configurable down +to a minimum of two days. + + +> [!IMPORTANT] +> If the device is unable to reach the Internet, it can't determine when Microsoft +> published the update, so it won't be able to enforce the deadline. Learn more about [low activity devices](#device-activity-policies). + +### Grace periods + +You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This +is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not +be forced to update immediately when the user returns. + +We recommend you set the following: + +- Grace period, in days: 2 + +Once the deadline and grace period have passed, updates are applied automatically, and a restart occurs +regardless of [active hours](#active-hours). + + +### Let Windows choose when to restart + +Windows can use user interactions to dynamically identify the least disruptive time for an +automatic restart. To take advantage of this feature, ensure **ConfigureDeadlineNoAutoReboot** is set to +**Disabled**. + +## Device activity policies + +Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two +of continuous activity, in order to successfully complete a system update. The device could have other +physical circumstances that prevent successful installation of an update--for example, if a laptop is running low +on battery power, or the user has shut down the device before active hours end and the device cannot comply +with the deadline. + +You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period. + +### Active hours + +"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of +these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user’s activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update. + +> [!IMPORTANT] +> If you used the **Configure Active Hours** setting in previous versions of Windows 10, these +options must be **Disabled** in order to take advantage of intelligent active hours. + +If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update +velocity: + +- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it’s possible to set the system to delay restarts for users who are logged +in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we +recommend setting the following polices to **Disabled**: + - **Turn off auto-restart during active hours** + - **No auto-restart with logged on users for scheduled automatic updates** + + - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that +updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user’s ability to delay a restart outside of compliance deadline settings. + +- **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**: + - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) + - [Update/EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadline) + - [Update/EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadlineforfeatureupdates) + - [Update/EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozeschedule) + - [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates) + - [Update/EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule) + +- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you’re using Microsoft Intune, setting the value to [Reset to Default](https://docs.microsoft.com/mem/intune/protect/windows-update-settings#user-experience-settings). +- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service. + +> [!IMPORTANT] +> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies: +>- [Configure active hours](waas-restart.md#configure-active-hours). Starting with Windows 10, version 1703, you can specify a maximum active-hour range which is counted from the active hours start time. We recommend setting +this value to **10**. +>- [Schedule update installation](waas-restart.md#schedule-update-installation). In the **Configure Automatic Updates** settings, there are two ways to control a forced restart after a specified installation time. If you use **schedule update installation**, do not enable both settings because they will most likely conflict. +> - **Specify automatic maintenance time**. This setting lets you set broader maintenance windows for updates and ensures that this schedule does not conflict with active hours. We +recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in the middle of the work shift, pick another time that is at least a couple hours before your scheduled work time begins. +> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours. + +### Power policies + +Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs: + +To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update. + +You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours. + +> [!NOTE] +> One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode. + +We recommend these power management settings: + +- Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system +appears to be off but if an update is available, it can wake the device up in order to take an update. The +power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest +power level before shutdown). When a device is not being used, the system will generally move to sleep +mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is +too short and Windows does not have time to complete an update. Sleep mode is an important setting +because the system can wake the system from sleep in order to start the update process, as long as there +is enough power. + +Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode: +- [Power/AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +Set the following policies to **1 (Sleep)** so that when a user closes the lid of a device, the system goes to +sleep mode and the device has an opportunity to take an update: +- [Power/SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up +without user intervention, like pressing the power button. If a device is in this state, it cannot be updated +unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep +(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete. + +> [!NOTE] +> This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](https://docs.microsoft.com/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates). + +The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation: + +- [Power/HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin) + +## Old or conflicting policies + +Each release of Windows 10 can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions. + +> [!IMPORTANT] +> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are +> using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface. + +As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected. + +> [!IMPORTANT] +> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up: +> - Windows updates: Group Policy settings take precedence over MDM. +> - Microsoft Intune: If you set different values for the same policy on two different groups, you will +> receive an alert and neither policy will be set until the conflict is resolved. +> It is crucial that you disable conflicting policies in order for devices in your organization to take updates as +> expected. For example, if a device is not reacting to your MDM policy changes, check to see if a similar +> policy is set in Group Policy with a differing value. +> If you find that update velocity is not as high as you expect or if some devices are slower than others, it might be +> time to clear all polices and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended polices. + +The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict: +- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no +deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature +Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update. +- **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days. +- **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Deadline No Auto Reboot**. Default is **Disabled – Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart. + +There are additional policies are no longer supported or have been superseded. diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 0c96d3ba90..d25d48f473 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -99,9 +99,9 @@ In cases where the pause policy is first applied after the configured start date | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | +| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | | GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | +| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime | | MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. @@ -223,10 +223,10 @@ The following are quick-reference tables of the supported policy values for Wind | BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709) 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel 32: systems take Feature Updates from Semi-annual Channel Note: Other value or absent: receive all applicable updates | | DeferQualityUpdates | REG_DWORD | 1: defer quality updatesOther value or absent: don’t defer quality updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates | |DeferFeatureUpdates | REG_DWORD | 1: defer feature updatesOther value or absent: don’t defer feature updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartDate | REG_DWORD |1: pause feature updatesOther value or absent: don’t pause feature updates | +| PauseFeatureUpdatesStartTime | REG_DWORD |1: pause feature updatesOther value or absent: don’t pause feature updates | | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers | @@ -236,9 +236,9 @@ The following are quick-reference tables of the supported policy values for Wind | --- | --- | --- | | BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709) 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel 32: systems take Feature Updates from Semi-annual Channel Note: Other value or absent: receive all applicable updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartDate | REG_DWORD | 1: pause feature updatesOther value or absent: don’t pause feature updates | +| PauseFeatureUpdatesStartTime | REG_DWORD | 1: pause feature updatesOther value or absent: don’t pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers | ## Update devices to newer versions diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index a5d605d778..b4bb57aef5 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. -[//]: # (Configuration Manager Boundary Group option; GroupID Source policy) +[//]: # (Configuration Manager boundary group option; GroupID Source policy) >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ac14bcf549..584aa81202 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se >[!NOTE] >These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. +> [!NOTE] +> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings). + Quick-reference table: | Use case | Policy | Recommended value | Reason | @@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. +> [!NOTE] +> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). + ### Large number of mobile devices @@ -122,6 +128,8 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** | PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | | ExpireOn | The target expiration date and time for the file. | | Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | + +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: @@ -139,7 +147,9 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download -Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers. + +Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. @@ -166,6 +176,30 @@ You can now "pin" files to keep them persistent in the cache. You can only do th #### Work with Delivery Optimization logs +**Starting in Windows 10, version 2004:** + +`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` + +With no options, this cmdlet returns these data: + +- total number of files +- number of foreground files +- minimum file size for it to be cached +- number of eligible files +- number of files with peers +- number of peering files [how different from the above?] +- overall efficiency +- efficiency in the peered files + +Using the `-ListConnections` option returns these detauls about peers: + +- destination IP address +- peer type +- status code +- bytes sent +- bytes received +- file ID + **Starting in Windows 10, version 1803:** `Get-DeliveryOptimizationLog [-Path
Deploy secure enterprise-grade authentication and access control to protect accounts and data
- - image: - - src: https://docs.microsoft.com/media/common/i_identity-protection.svg - - title: Identity and access management - - - href: \windows\security\threat-protection\ - - html:Stop cyberthreats and quickly identify and respond to breaches
- - image: - - src: https://docs.microsoft.com/media/common/i_threat-protection.svg - - title: Threat protection - - - href: \windows\security\information-protection\ - - html:Identify and secure critical data to prevent data loss
- - image: - - src: https://docs.microsoft.com/media/common/i_information-protection.svg - - title: Information protection - +# productDirectory section (optional) +productDirectory: + items: + # Card + - title: Identity and access management + # imageSrc should be square in ratio with no whitespace + imageSrc: https://docs.microsoft.com/media/common/i_identity-protection.svg + summary: Deploy secure enterprise-grade authentication and access control to protect accounts and data + url: ./identity-protection/index.md + # Card + - title: Threat protection + imageSrc: https://docs.microsoft.com/media/common/i_threat-protection.svg + summary: Stop cyberthreats and quickly identify and respond to breaches + url: ./threat-protection/index.md + # Card + - title: Information protection + imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg + summary: Identify and secure critical data to prevent data loss + url: ./information-protection/index.md \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 406d096165..96fc9bd8c2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -457,7 +457,7 @@ Checking BitLocker status with the control panel is the most common method used | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 09d6973301..436ef15fe7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -1882,7 +1882,7 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. ->**Warning:** Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. +>**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. ### Provide the unique identifiers for your organization diff --git a/windows/security/information-protection/images/device_details_tab_1903.png b/windows/security/information-protection/images/device_details_tab_1903.png new file mode 100644 index 0000000000..beb0337379 Binary files /dev/null and b/windows/security/information-protection/images/device_details_tab_1903.png differ diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 5474e7faf1..b36af3f717 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -1,5 +1,5 @@ --- -title: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) +title: Kernel DMA Protection (Windows 10) description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. ms.prod: w10 ms.mktglfcycl: deploy @@ -15,17 +15,18 @@ ms.date: 03/26/2019 ms.reviewer: --- -# Kernel DMA Protection for Thunderbolt™ 3 +# Kernel DMA Protection **Applies to** - Windows 10 -In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. +In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots) + Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on. -For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). +For Thunderbolt DMA protection on earlier Windows versions and platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). ## Background @@ -33,9 +34,10 @@ PCI devices are DMA-capable, which allows them to read and write to system memor The DMA capability is what makes PCI devices the highest performing devices available today. These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. Access to these devices required the user to turn off power to the system and disassemble the chassis. -Today, this is no longer the case with Thunderbolt™. -Thunderbolt™ technology has provided modern PCs with extensibility that was not available before for PCs. +Today, this is no longer the case with hot plug PCIe ports (e.g., Thunderbolt™ and CFexpress). + +Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that was not available before for PCs. It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks. @@ -45,15 +47,15 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and ## How Windows protects against DMA drive-by attacks Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). -Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. +Peripherals with [DMA Remapping compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. + +By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies). ## User experience  -A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. -Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. +By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or logs out of the system. ## System compatibility @@ -103,18 +105,21 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping). Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external). + + *For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.  -### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping? -If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found at the [Microsoft Partner Center](https://partner.microsoft.com/dashboard/collaborate/packages/4142). +### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? + +If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers). ### Do Microsoft drivers support DMA-remapping? -In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping. +In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping. ### Do drivers for non-PCI devices need to be compatible with DMA-remapping? -No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping. +No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA Remapping. ### How can an enterprise enable the External device enumeration policy? The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 48c612f49d..8c01645295 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -71,16 +71,18 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Messaging -- Microsoft Remote Desktop +- Microsoft Remote Desktop > [!NOTE] -> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. +> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. ## List of WIP-work only apps from Microsoft Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. - Skype for Business +- Microsoft Teams (build 1.3.00.12058 and later) + ## Adding enlightened Microsoft apps to the allowed apps list > [!NOTE] diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 3fc752f3ca..7e12444b58 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -131,6 +131,11 @@ This table provides info about the most common problems you might encounter whilThis built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. @@ -74,14 +77,14 @@ The attack surface reduction set of capabilities provide the first line of defen -**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
+**[Next generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) -- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus) -- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) -- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) -- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) +- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus) +- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus) +- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus) +- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index 1bea408ef2..b07721ab05 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -36,8 +36,6 @@ ## [Safety Scanner download](safety-scanner-download.md) -## [Industry tests](top-scoring-industry-antivirus-tests.md) - ## [Industry collaboration programs](cybersecurity-industry-partners.md) ### [Virus information alliance](virus-information-alliance-criteria.md) diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 572d4cf705..74c19eb50f 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -159,11 +159,11 @@ Advertisements shown to you must: #### Consumer opinion -Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions. +Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft antimalware solutions. ## Potentially unwanted application (PUA) -Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Windows Defender Antivirus, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md). *PUAs are not considered malware.* @@ -175,7 +175,7 @@ Microsoft uses specific categories and the category definitions to classify soft * **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies. -* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. +* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. * **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research. diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index 3e680879b5..c6973ab9e1 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -43,8 +43,8 @@ It contains instructions to offer a program classified as unwanted software. You ## Why is the Windows Firewall blocking my program? -This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network. +This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network. ## Why does the Windows Defender SmartScreen say my program is not commonly downloaded? -This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website. +This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website. diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index 35aec2bd9c..b413cea906 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -40,4 +40,4 @@ Find more guidance about the file submission and detection dispute process in ou ### Scan your software -Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft. +Use [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 2a52b19798..001d356c59 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -1,7 +1,7 @@ --- title: Malware names ms.reviewer: -description: Understand the malware naming convention used by Windows Defender Antivirus and other Microsoft antimalware. +description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware. keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name ms.prod: w10 ms.mktglfcycl: secure diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index ffe4254e2b..ad80fad7fe 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -55,7 +55,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment. -[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. +[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. [System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity. diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index f6b12d45e0..96e45bc39b 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -34,7 +34,7 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from - Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. -- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). +- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). ## System requirements @@ -53,7 +53,7 @@ For more information about the Safety Scanner, see the support article on [how t ## Related resources - [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner) -- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) +- [Microsoft Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) - [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) - [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) - [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 35942059ca..8544b43d61 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -45,13 +45,13 @@ It is also important to keep the following in mind: * Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites. -* Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. +* Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. ## What to do if information has been given to a tech support person * Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the device -* Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as soon as they are available. +* Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all security updates as soon as they are available. * Change passwords. diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md deleted file mode 100644 index fcd89c3a81..0000000000 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK) -ms.reviewer: -description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success -ms.prod: w10 -ms.mktglfcycl: secure -ms.sitesec: library -ms.localizationpriority: high -ms.author: ellevin -author: levinec -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -search.appverid: met150 ---- - -# Top scoring in industry tests - -Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. - -## Next generation protection - -[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Keep in mind, these tests only provide results for antivirus and do not test for additional security protections. - -Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies. -
- -**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)** - -### AV-TEST: Protection score of 5.5/6.0 in the latest test - -The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). - -- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) **Latest** - - Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used. - -- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/) - -- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/) - -- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- March — April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- January — February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) - -- November — December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9) - -- September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD) - -### AV-Comparatives: Protection rating of 99.6% in the latest test - -Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. - -- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) **Latest** - - Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test. - -- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Business Security Test 2018 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/) - -- Business Security Test 2018 (March — June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/) - -### SE Labs: AAA award in the latest test - -SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services. - -- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) **pdf** - - Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats. - -- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Enterprise Endpoint Protection January — March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Enterprise Endpoint Protection October — December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) - -## Endpoint detection & response - -Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. - - - -**Read our analysis: [MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)** - -### MITRE: Industry-leading optics and detection capabilities - -MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics. - -- ATT&CK-based evaluation: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831) - - Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. - -## To what extent are tests representative of protection in the real world? - -Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. - -The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world. - -With independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. - -[Learn more about Microsoft Defender ATP](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) and evaluate it in your own network by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), or [enabling Preview features on existing tenants](../microsoft-defender-atp/preview-settings.md). diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index c9f64fecd6..2ed753b049 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -40,7 +40,7 @@ Trojans can come in many different varieties, but generally they do the followin Use the following free Microsoft software to detect and remove it: -- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. +- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. - [Microsoft Safety Scanner](safety-scanner-download.md) diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index fdf1e1e4bf..ab2471f894 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -43,7 +43,7 @@ To prevent unwanted software infection, download software only from official web Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer). -Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. +Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index 6b392dcc81..04c8f8280f 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -44,7 +44,7 @@ This image shows how a worm can quickly spread through a shared USB drive. ## How to protect against worms -Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. +Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index dc96de376a..771169d40b 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -1,6 +1,6 @@ --- title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) -description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions +description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. keywords: MBSA, security, removal ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md rename to windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md index 9b7b2cffbf..e9fd6a400e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md @@ -1,7 +1,7 @@ --- -title: What to do with false positives/negatives in Windows Defender Antivirus -description: Did Windows Defender Antivirus miss or wrongly detect something? Find out what you can do. -keywords: Windows Defender Antivirus, false positives, false negatives, exclusions +title: What to do with false positives/negatives in Microsoft Defender Antivirus +description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do. +keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -12,43 +12,43 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 02/05/2020 +ms.date: 06/08/2020 ms.reviewer: shwetaj manager: dansimp audience: ITPro ms.topic: article --- -# What to do with false positives/negatives in Windows Defender Antivirus +# What to do with false positives/negatives in Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Windows Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web. +Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. -But what if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these things. You can: -- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis); -- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring); or -- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Windows Defender Antivirus. +What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can: +- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis) +- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring) +- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) ## Submit a file to Microsoft for analysis 1. Review the [submission guidelines](../intelligence/submission-guide.md). -2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission). +2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission). > [!TIP] > We recommend signing in at the submission portal so you can track the results of your submissions. ## Create an "Allow" indicator to prevent a false positive from recurring -If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Windows Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. +If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). ## Define an exclusion on an individual Windows device to prevent an item from being scanned -When you define an exclusion for Windows Defender Antivirus, you configure your antivirus to skip that item. +When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item. 1. On your Windows 10 device, open the Windows Security app. 2. Select **Virus & threat protection** > **Virus & threat protection settings**. @@ -59,14 +59,14 @@ The following table summarizes exclusion types, how they're defined, and what ha |Exclusion type |Defined by |What happens | |---------|---------|---------| -|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Windows Defender Antivirus. | -|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. | -|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Windows Defender Antivirus. | -|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Windows Defender Antivirus. | +|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. | +|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | +|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. | +|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | -To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus) +To learn more, see: +- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) +- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) ## Related articles diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md similarity index 79% rename from windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md rename to windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md index 1cae26190b..691027c34e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -1,7 +1,7 @@ --- -title: Collect diagnostic data for Update Compliance and Windows Defender Windows Defender Antivirus -description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender Antivirus Assessment add in -keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av +title: Collect diagnostic data for Update Compliance and Windows Defender Microsoft Defender Antivirus +description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in +keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,15 +17,15 @@ ms.reviewer: manager: dansimp --- -# Collect Update Compliance diagnostic data for Windows Defender AV Assessment +# Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. +This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in. -Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. +Before attempting this process, ensure you have read [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps: @@ -52,7 +52,7 @@ On at least two devices that are not reporting or showing up in Update Complianc 6. Send an email using the Update Compliance support email template, and fill out the template with the following information: ``` - I am encountering the following issue when using Windows Defender Antivirus in Update Compliance: + I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance: I have provided at least 2 support .cab files at the following location:
For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share). + +5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. + +> [!NOTE] +>If you have a problem with Update compliance, send an email using the Update Compliance support email template, and fill out the template with the following information: +>``` +> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance: +> I have provided at least 2 support .cab files at the following location: +>
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | +|`*` (asterisk)
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | |`?` (question mark)
In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`
`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders
`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | |Environment variables
The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | @@ -206,30 +206,30 @@ You can retrieve the items in the exclusion list using one of the following meth - [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) - MpCmdRun - PowerShell -- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) +- [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) >[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > >Changes made in the Windows Security app **will not show** in the Group Policy lists. If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. ### Validate the exclusion list by using MpCmdRun -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: ```DOS MpCmdRun.exe -CheckExclusion -path
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| +| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| | Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| -|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| +|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` | -| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| +| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud -After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. +After whitelisting the URLs listed above, you can test if you are connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. **Use the cmdline tool to validate cloud-delivered protection:** -Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service: +Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service: -```DOS +```console "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection ``` > [!NOTE] > You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. -For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md). +For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md). **Attempt to download a fake malware file from Microsoft:** -You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. +You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. Download the file by visiting the following link: - https://aka.ms/ioavtest @@ -87,9 +87,7 @@ Download the file by visiting the following link: >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. -If you are properly connected, you will see a warning Windows Defender Antivirus notification: - - +If you are properly connected, you will see a warning Microsoft Defender Antivirus notification. If you are using Microsoft Edge, you'll also see a notification message: @@ -97,7 +95,7 @@ If you are using Microsoft Edge, you'll also see a notification message: A similar message occurs if you are using Internet Explorer: - + You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app: @@ -107,24 +105,22 @@ You will also see a detection under **Quarantined threats** in the **Scan histor  -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: +3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware. -  + > [!NOTE] + > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). ->[!NOTE] ->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md). - -The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). + The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md). >[!IMPORTANT] >You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. ## Related articles -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) -- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) +- [Run an Microsoft Defender Antivirus scan from the command line](command-line-arguments-microsoft-defender-antivirus.md) and [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md) - [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md similarity index 83% rename from windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md index ef9bf3607a..57a0ea6f0e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Defender Antivirus notifications -description: Configure and customize Windows Defender Antivirus notifications. +title: Configure Microsoft Defender Antivirus notifications +description: Configure and customize Microsoft Defender Antivirus notifications. keywords: notifications, defender, antivirus, endpoint, management, admin search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -31,7 +31,7 @@ You can also configure how standard notifications appear on endpoints, such as n ## Configure the additional notifications that appear on endpoints -You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy. +You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy. > [!NOTE] > In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. @@ -59,7 +59,7 @@ You can configure the display of additional notifications, such as recent threat 3. Click **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Reporting**. 5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. @@ -71,7 +71,7 @@ You can use Group Policy to: - Hide all notifications on endpoints - Hide reboot notifications on endpoints -Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. +Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information. > [!NOTE] > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). @@ -84,7 +84,7 @@ See [Customize the Windows Security app for your organization](../windows-defend 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. @@ -96,11 +96,11 @@ See [Customize the Windows Security app for your organization](../windows-defend 3. Click **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md similarity index 69% rename from windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 1b19f98ccd..ffe624dd8e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- title: Configure exclusions for files opened by specific processes description: You can exclude files from scans if they have been opened by a specific process. -keywords: Windows Defender Antivirus, process, exclusion, files, scans +keywords: Microsoft Defender Antivirus, process, exclusion, files, scans search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -22,7 +22,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. +You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. This topic describes how to configure exclusion lists for the following: @@ -34,11 +34,11 @@ Any file on the machine that is opened by any process with a specific file name Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
- c:\test\sample\test.exe
- c:\test\sample\test2.exe
- c:\test\sample\utility.exe
There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607. +> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607. ### Set up a dedicated VDI file share @@ -116,7 +116,7 @@ The profile will now be deployed to the impacted devices. This may take some tim 3. Click **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. @@ -192,11 +192,11 @@ If you would prefer to do everything manually, this what you would need to do to ### Randomize scheduled scans -Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md). +Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). -The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Windows Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. +The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. -See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. +See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. ### Use quick scans @@ -211,7 +211,7 @@ Quick scans are the preferred approach as they are designed to look in all place ### Prevent notifications -Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. 1. Expand the tree to **Windows components > Windows Defender > Client Interface**. @@ -219,7 +219,7 @@ Sometimes, Windows Defender Antivirus notifications may be sent to or persist ac 3. Click **OK**. -This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. ### Disable scans after an update @@ -253,11 +253,11 @@ This forces a scan if the VM has missed two or more consecutive scheduled scans. 2. Click **OK**. -This hides the entire Windows Defender AV user interface from users. +This hides the entire Microsoft Defender AV user interface from users. ### Exclusions -On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus). +On Windows Server 2016, Microsoft Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus). ## Additional resources diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md similarity index 80% rename from windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 7c0db7f78f..3345190e01 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Block potentially unwanted applications with Windows Defender Antivirus +title: Block potentially unwanted applications with Microsoft Defender Antivirus description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. -keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus +keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -64,20 +64,20 @@ Defender SmartScreen available, including [one for blocking PUA](https://docs.mi Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. -### Windows Defender Antivirus +### Microsoft Defender Antivirus -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] > This feature is only available in Windows 10. -Windows Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. +Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA file is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. -The notification appears in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). +The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection in Windows Defender Antivirus +#### Configure PUA protection in Microsoft Defender Antivirus You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. @@ -90,7 +90,7 @@ PUA audit mode is useful if your company is conducting an internal software secu ##### Use Intune to configure PUA protection -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. ##### Use Configuration Manager to configure PUA protection @@ -101,7 +101,7 @@ See [How to create and deploy antimalware policies: Scheduled scans settings](ht For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. +> PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. ##### Use Group Policy to configure PUA protection @@ -109,7 +109,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. 4. Double-click **Configure protection for potentially unwanted applications**. @@ -142,7 +142,7 @@ Set-MpPreference -PUAProtection disable ``` Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. #### View PUA events @@ -150,13 +150,13 @@ PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoi You can turn on email notifications to receive mail about PUA detections. -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. +See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. #### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. ## Related articles -- [Next-generation protection](windows-defender-antivirus-in-windows-10.md) -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) +- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md similarity index 69% rename from windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index 8c14c01d58..84f310871d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Enable cloud-delivered protection in Windows Defender Antivirus +title: Enable cloud-delivered protection in Microsoft Defender Antivirus description: Enable cloud-delivered protection to benefit from fast and advanced protection features. -keywords: windows defender antivirus, antimalware, security, cloud, block at first sight +keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -23,16 +23,16 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!NOTE] -> The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). - +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). + -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. -See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. +See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection. -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. +There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details. > [!NOTE] > In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. @@ -42,7 +42,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **All services > Intune**. 3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. 5. On the **Cloud-delivered protection** switch, select **Enable**. 6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. 7. In the **Submit samples consent** dropdown, select one of the following: @@ -54,9 +54,9 @@ There are specific network-connectivity requirements to ensure your endpoints ca > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. -8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) @@ -72,7 +72,7 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht 3. Select **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS** 5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. @@ -85,7 +85,7 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. 7. Click **OK**. @@ -98,13 +98,13 @@ Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendAllSamples ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). >[!NOTE] > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. >[!WARNING] -> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. +> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. ## Use Windows Management Instruction (WMI) to enable cloud-delivered protection @@ -137,11 +137,11 @@ See the following for more information and allowed parameters: ## Related topics -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) -- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) +- [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index 6173192baf..1c2dec92b5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Evaluate Windows Defender Antivirus -description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10. -keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection +title: Evaluate Microsoft Defender Antivirus +description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10. +keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Evaluate Windows Defender Antivirus +# Evaluate Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. +Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. >[!TIP] >You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: @@ -31,7 +31,7 @@ Use this guide to determine how well Windows Defender Antivirus protects you fro >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking -It explains the important next generation protection features of Windows Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network. +It explains the important next generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network. You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings. @@ -44,11 +44,11 @@ You can also download a PowerShell that will enable all the settings described i - [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings) > [!IMPORTANT] -> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. +> The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. > -> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md). +> For the latest recommendations for real-world deployment and monitoring of Microsoft Defender Antivirus across a network, see [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md). ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg b/windows/security/threat-protection/microsoft-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/atp-portal-onboarding-page.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/atp-portal-onboarding-page.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender-updatedefs2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender-updatedefs2.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/client.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/client.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/intune-block-at-first-sight.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/intune-block-at-first-sight.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/notification.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/notification.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-advanced-settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-advanced-settings.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-cloud-protection-service.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-cloud-protection-service.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-real-time-protection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-real-time-protection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-wdo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-wdo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-edge.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-edge.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-ie.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-ie.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-extension-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-extension-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreat.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreat.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1607.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1607.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1703.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1703.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-malware-detected.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-malware-detected.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-order-update-sources.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-order-update-sources.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-path-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-path-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-process-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-process-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-settings-old.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-settings-old.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc-defs.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc-defs.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-windows-defender-app-old.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-windows-defender-app-old.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-administrative-templates.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-administrative-templates.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-real-time-protection.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-real-time-protection.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-search.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-search.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/jamf-onboarding.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/jamf-onboarding.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-1-registerapp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-1-registerapp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-16-preferencedomain.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-16-preferencedomain.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-17-approvedkernelextensions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-17-approvedkernelextensions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-18-configurationprofilesscope.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-18-configurationprofilesscope.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-21-mdmprofile1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-21-mdmprofile1.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-22-mdmprofileapproved.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-22-mdmprofileapproved.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-23-mdmstatus.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-23-mdmstatus.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-24-statusonserver.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-24-statusonserver.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-25-statusonclient.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-25-statusonclient.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-26-uninstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-26-uninstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-27-uninstallscript.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-27-uninstallscript.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-34-mau.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-34-mau.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/server-add-gui.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/server-add-gui.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg b/windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-no.svg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-no.svg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg b/windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-yes.svg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-yes.svg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperattemptalert.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperattemptalert.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectionturnedon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectionturnedon.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectsecurityrecos.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectsecurityrecos.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-alert.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-alert.jpg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-huntingquery.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-huntingquery.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-windowssecurityapp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-windowssecurityapp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-consumer.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-consumer.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-enterprise.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-enterprise.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-intune.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-intune.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps-on.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps-on.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-wdav.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-wdav.png diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..545f77a114 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -0,0 +1,51 @@ +--- +title: Enable the limited periodic Microsoft Defender Antivirus scanning feature +description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers +keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + + + +# Use limited periodic scanning in Microsoft Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. + +It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md). + +**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. + +## How to enable limited periodic scanning + +By default, Microsoft Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. + +If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device: + + + +If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options. + +Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning. + +Sliding the switch to **On** will show the standard Microsoft Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page. + +## Related articles + +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md similarity index 65% rename from windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md index 20d523d368..c29455e452 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Apply Windows Defender Antivirus updates after certain events -description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. +title: Apply Microsoft Defender Antivirus updates after certain events +description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. keywords: updates, protection, force updates, events, startup, check for latest, notifications search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -23,11 +23,11 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. +Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. ## Check for protection updates before running a scan -You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. +You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan. ### Use Configuration Manager to check for protection updates before running a scan @@ -47,7 +47,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. 5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**. @@ -61,7 +61,7 @@ Use the following cmdlets: Set-MpPreference -CheckForSignaturesBeforeRunningScan ``` -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index). ### Use Windows Management Instruction (WMI) to check for protection updates before running a scan @@ -75,7 +75,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.c ## Check for protection updates on startup -You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started. +You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. @@ -83,15 +83,15 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. 5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. 6. Click **OK**. -You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running. +You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it is not running. -### Use Group Policy to download updates when Windows Defender Antivirus is not present +### Use Group Policy to download updates when Microsoft Defender Antivirus is not present 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. @@ -99,13 +99,13 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**. 6. Click **OK**. -### Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present +### Use PowerShell cmdlets to download updates when Microsoft Defender Antivirus is not present Use the following cmdlets: @@ -113,9 +113,9 @@ Use the following cmdlets: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine ``` -For more information, see [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +For more information, see [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present +### Use Windows Management Instruction (WMI) to download updates when Microsoft Defender Antivirus is not present Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties: @@ -129,9 +129,9 @@ For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.c ## Allow ad hoc changes to protection based on cloud-delivered protection -Windows Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates. +Microsoft Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates. -If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied. +If you have enabled cloud-delivered protection, Microsoft Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender AV to automatically receive that protection update. Other important protection updates can also be applied. ### Use Group Policy to automatically download recent updates based on cloud-delivered protection @@ -141,7 +141,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. 5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. @@ -152,9 +152,9 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md similarity index 66% rename from windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md index 9a6e186de0..8956c31df7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Apply Windows Defender AV protection updates to out of date endpoints +title: Apply Microsoft Defender AV protection updates to out of date endpoints description: Define when and how updates should be applied for endpoints that have not updated in a while. keywords: updates, protection, out-of-date, outdated, old, catch-up search.product: eADQiWindows 10XVcnh @@ -17,21 +17,21 @@ ms.reviewer: manager: dansimp --- -# Manage Windows Defender Antivirus updates and scans for endpoints that are out of date +# Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. +Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time. -When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and download the latest protection updates, and run a scan. +When the user returns to work and logs on to their PC, Microsoft Defender Antivirus will immediately check and download the latest protection updates, and run a scan. ## Set up catch-up protection updates for endpoints that haven't updated for a while -If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md). +If Microsoft Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-microsoft-defender-antivirus.md). ### Use Configuration Manager to configure catch-up protection updates @@ -40,7 +40,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie 2. Go to the **Security intelligence updates** section and configure the following settings: 1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. - 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order). + 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order). 3. Click **OK**. @@ -54,9 +54,9 @@ If Windows Defender Antivirus did not download protection updates for a specifie 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates**. -5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update. +5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to check for and download the latest protection update. 6. Click **OK**. @@ -68,7 +68,7 @@ Use the following cmdlets: Set-MpPreference -SignatureUpdateCatchupInterval ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Use Windows Management Instruction (WMI) to configure catch-up protection updates @@ -84,7 +84,7 @@ See the following for more information and allowed parameters: ## Set the number of days before protection is reported as out-of-date -You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. +You can also specify the number of days after which Microsoft Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Microsoft Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. ### Use Group Policy to specify the number of days before protection is considered out-of-date @@ -94,24 +94,24 @@ You can also specify the number of days after which Windows Defender Antivirus p 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: - 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware Security intelligence to be out-of-date. + 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider spyware Security intelligence to be out-of-date. 2. Click **OK**. - 3. Double-click **Define the number of days before virus definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider virus Security intelligence to be out-of-date. + 3. Double-click **Define the number of days before virus definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider virus Security intelligence to be out-of-date. 4. Click **OK**. ## Set up catch-up scans for endpoints that have not been scanned for a while -You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan. +You can set the number of consecutive scheduled scans that can be missed before Microsoft Defender Antivirus will force a scan. The process for enabling this feature is: -1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). +1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). 2. Enable the catch-up scan feature. 3. Define the number of scans that can be skipped before a catch-up scan occurs. @@ -127,12 +127,12 @@ This feature can be enabled for both full and quick scans. 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Scan** and configure the following settings: 1. If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. 2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**. 3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**. - 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**. + 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). Click **OK**. > [!NOTE] > The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run. @@ -147,7 +147,7 @@ Set-MpPreference -DisableCatchupQuickScan ``` -See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Use Windows Management Instruction (WMI) to configure catch-up scans @@ -174,9 +174,9 @@ See the following for more information and allowed parameters: ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md similarity index 76% rename from windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index c67fd41aa8..5ba75a3387 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Schedule Windows Defender Antivirus protection updates +title: Schedule Microsoft Defender Antivirus protection updates description: Schedule the day, time, and interval for when protection updates should be downloaded keywords: updates, security baselines, schedule updates search.product: eADQiWindows 10XVcnh @@ -24,7 +24,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus lets you determine when it should look for and download updates. +Microsoft Defender Antivirus lets you determine when it should look for and download updates. You can schedule updates for your endpoints by: @@ -32,7 +32,7 @@ You can schedule updates for your endpoints by: - Specifying the interval to check for protection updates - Specifying the time to check for protection updates -You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information. +You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic for more information. ## Use Configuration Manager to schedule protection updates @@ -51,7 +51,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Group Policy to schedule protection updates > [!IMPORTANT] -> By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. +> By default, Microsoft Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -59,7 +59,7 @@ You can also randomize the times when each endpoint checks and downloads protect 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: 1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. @@ -76,7 +76,7 @@ Set-MpPreference -SignatureScheduleTime Set-MpPreference -SignatureUpdateInterval ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use Windows Management Instruction (WMI) to schedule protection updates @@ -94,12 +94,12 @@ See the following for more information and allowed parameters: ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md similarity index 72% rename from windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index a487d96a32..fb6976a1fa 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Manage how and where Windows Defender AV receives updates -description: Manage the fallback order for how Windows Defender Antivirus receives protection updates. +title: Manage how and where Microsoft Defender AV receives updates +description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,7 +16,7 @@ manager: dansimp ms.custom: nextgen --- -# Manage the sources for Windows Defender Antivirus protection updates +# Manage the sources for Microsoft Defender Antivirus protection updates **Applies to:** @@ -25,11 +25,11 @@ ms.custom: nextgen -Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Windows Defender Antivirus: +Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Microsoft Defender Antivirus: - *Where* the updates are downloaded from; and - *When* updates are downloaded and applied. -This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). +This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). > [!IMPORTANT] > Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). @@ -53,13 +53,13 @@ There are five locations where you can specify where an endpoint should obtain u - [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) - [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview) -- [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) +- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. > [!IMPORTANT] > If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). -> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
+> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
> Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
@@ -68,9 +68,9 @@ Each source has typical scenarios that depend on how your network is configured,
|---|---|
|Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.|
|Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
-|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
+|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.|
-|Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
+|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
@@ -104,8 +104,8 @@ The procedures in this article first describe how to set the order, and then how
6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
> [!NOTE]
-> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Windows Defender Antivirus > Signature Updates**
-> For Windows 10, version 1903, the policy path is **Windows Components > Windows Defender Antivirus > Security Intelligence Updates**
+> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Microsoft Defender Antivirus > Signature Updates**
+> For Windows 10, version 1903, the policy path is **Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates**
## Use Configuration Manager to manage the update location
@@ -123,7 +123,7 @@ Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\
See the following articles for more information:
- [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference)
- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
-- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
+- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
- [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index)
## Use Windows Management Instruction (WMI) to manage the update location
@@ -144,19 +144,19 @@ See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.
## What if we're using a third-party vendor?
-This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks.
+This article describes how to configure and manage updates for Microsoft Defender Antivirus. However, third-party vendors can be used to perform these tasks.
-For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to deploy patches and updates.
+For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) to deploy patches and updates.
> [!NOTE]
-> Microsoft does not test third-party solutions for managing Windows Defender Antivirus.
+> Microsoft does not test third-party solutions for managing Microsoft Defender Antivirus.
## Related articles
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 5fdfa55aa4..f619b37fca 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Manage Windows Defender Antivirus updates and apply baselines
-description: Manage how Windows Defender Antivirus receives protection and product updates.
+title: Manage Microsoft Defender Antivirus updates and apply baselines
+description: Manage how Microsoft Defender Antivirus receives protection and product updates.
keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -16,35 +16,35 @@ ms.reviewer:
manager: dansimp
---
-# Manage Windows Defender Antivirus updates and apply baselines
+# Manage Microsoft Defender Antivirus updates and apply baselines
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-There are two types of updates related to keeping Windows Defender Antivirus up to date:
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
- Security intelligence updates
- Product updates
> [!IMPORTANT]
-> Keeping Windows Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
-> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility).
+> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
+> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
## Security intelligence updates
-Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
+Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
-The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
+The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
Engine updates are included with the security intelligence updates and are released on a monthly cadence.
## Product updates
-Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
-For more information, see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
+For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
> [!NOTE]
> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server.
@@ -58,11 +58,32 @@ All our updates contain:
* serviceability improvements
* integration improvements (Cloud, MTP)
+
+
May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)
+
+ Security intelligence update version: **1.317.20.0**
+ Released: **May 26, 2020**
+ Platform: **4.18.2005.4**
+ Engine: **1.1.17100.2**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* Improved logging for scan events
+* Improved user mode crash handling.
+* Added event tracing for Tamper protection
+* Fixed AMSI Sample submission
+* Fixed AMSI Cloud blocking
+* Fixed Security update install log
+
+### Known Issues
+No known issues
+
+
@@ -139,7 +160,7 @@ Support phase: **Technical upgrade Support (Only)**
* Fixed BSOD on WS2016 with Exchange
* Support platform updates when TMP is redirected to network path
* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
-* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
* Fix 4.18.1911.10 hang
### Known Issues
@@ -171,7 +192,7 @@ No known issues
April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)
- Security intelligence update version: **TBD**
+ Security intelligence update version: **1.315.12.0**
Released: **April 30, 2020**
Platform: **4.18.2004.6**
Engine: **1.1.17000.2**
@@ -93,14 +114,14 @@ No known issues
### What's new
-* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus)
+* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
* Improve diagnostic capability
* reduce Security intelligence timeout (5min)
* Extend AMSI engine internal log capability
* Improve notification for process blocking
### Known Issues
-[**Fixed**] Windows Defender Antivirus is skipping files when running a scan.
+[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
-## Windows Defender Antivirus platform support
+## Microsoft Defender Antivirus platform support
As stated above, platform and engine updates are provided on a monthly cadence.
Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version:
@@ -186,7 +207,7 @@ Customers must stay current with the latest platform update to be fully supporte
During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
### Platform version included with Windows 10 releases
-The below table provides the Windows Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
+The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
|Windows 10 release |Platform version |Engine version |Support phase |
|-|-|-|-|
@@ -205,8 +226,8 @@ Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsof
Article | Description
---|---
-[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
-[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
-[Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
-[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
-[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
+[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
+[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
+[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
+[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
+[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
similarity index 76%
rename from windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
index 94b9e04752..fb9cbcf454 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Define how mobile devices are updated by Windows Defender AV
-description: Manage how mobile devices, such as laptops, should be updated with Windows Defender AV protection updates.
+title: Define how mobile devices are updated by Microsoft Defender AV
+description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates.
keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -31,13 +31,13 @@ There are two settings that are particularly useful for these devices:
- Prevent Security intelligence updates when running on battery power
The following topics may also be useful in these situations:
-- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
+- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
## Opt-in to Microsoft Update on mobile computers without a WSUS connection
-You can use Microsoft Update to keep Security intelligence on mobile devices running Windows Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
+You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
@@ -55,7 +55,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
+5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
@@ -73,7 +73,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
## Prevent Security intelligence updates when running on battery power
-You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
+You can configure Microsoft Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
### Use Group Policy to prevent security intelligence updates on battery power
@@ -83,7 +83,7 @@ You can configure Windows Defender Antivirus to only download protection updates
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting:
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting:
1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**.
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
@@ -91,5 +91,5 @@ You can configure Windows Defender Antivirus to only download protection updates
## Related articles
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Update and manage Microsoft Defender Antivirus in Windows 10](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
new file mode 100644
index 0000000000..2cb802f3b8
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -0,0 +1,98 @@
+---
+title: Microsoft Defender Antivirus compatibility with other security products
+description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using.
+keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.reviewer:
+manager: dansimp
+---
+
+# Microsoft Defender Antivirus compatibility
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Overview
+
+Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
+- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
+- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
+
+## Antivirus and Microsoft Defender ATP
+
+The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
+
+
+| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Microsoft Defender Antivirus state |
+|------|------|-------|-------|
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
+| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows 10 | Microsoft Defender Antivirus | No | Active mode |
+| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] |
+| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] |
+| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode |
+
+(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
+
+If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
+- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+- Name: ForceDefenderPassiveMode
+- Value: 1
+
+See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
+>
+> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
+>
+> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+
+## Functionality and features available in each state
+
+The following table summarizes the functionality and features that are available in each state:
+
+|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
+|--|--|--|--|--|--|
+|Active mode
|Yes |No |Yes |Yes |Yes |
+|Passive mode |No |No |Yes |No |Yes |
+|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes |
+|Automatic disabled mode |No |Yes |No |No |No |
+
+- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
+- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
+
+## Keep the following points in mind
+
+If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+
+When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+
+In passive and automatic disabled mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode.
+
+> [!WARNING]
+> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+
+
+## Related topics
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
+- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
new file mode 100644
index 0000000000..4be2a05301
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@@ -0,0 +1,59 @@
+---
+title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
+description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
+keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.date: 02/25/2020
+ms.reviewer:
+manager: dansimp
+ms.custom: nextgen
+---
+
+# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
+
+**Applies to:**
+
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Microsoft Defender Antivirus: Your next-generation protection
+
+Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following:
+
+- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware.
+- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats.
+- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date.
+
+## Try a demo!
+
+Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
+- Cloud-delivered protection
+- Block at first sight (BAFS) protection
+- Potentially unwanted applications (PUA) protection
+
+## Minimum system requirements
+
+Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see:
+
+- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
+- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)
+
+## Configure next-generation protection services
+
+For information on how to configure next-generation protection services, see [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md).
+
+> [!Note]
+> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md).
+
+## Related articles
+
+- [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md)
+
+- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
similarity index 59%
rename from windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index 6ff0b08f83..2108fffbab 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Antivirus on Windows Server 2016 and 2019
-description: Enable and configure Windows Defender AV on Windows Server 2016 and 2019
+title: Microsoft Defender Antivirus on Windows Server 2016 and 2019
+description: Enable and configure Microsoft Defender AV on Windows Server 2016 and 2019
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -16,28 +16,28 @@ ms.reviewer:
manager: dansimp
---
-# Windows Defender Antivirus on Windows Server 2016 and 2019
+# Microsoft Defender Antivirus on Windows Server 2016 and 2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Windows Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
+Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
-While the functionality, configuration, and management are largely the same for Windows Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
+While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
-- In Windows Server, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
-- In Windows Server, Windows Defender Antivirus does not automatically disable itself if you are running another antivirus product.
+- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
+- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
## The process at a glance
-The process of setting up and running Windows Defender Antivirus on a server platform includes several steps:
+The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019)
-2. [Install Windows Defender Antivirus](#install-windows-defender-antivirus-on-windows-server-2016-or-2019)
+2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019)
-2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-antivirus-is-running)
+2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running)
3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence)
@@ -45,11 +45,11 @@ The process of setting up and running Windows Defender Antivirus on a server pla
5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions)
-6. (Only if necessary) [Uninstall Windows Defender Antivirus](#need-to-uninstall-windows-defender-antivirus)
+6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus)
## Enable the user interface on Windows Server 2016 or 2019
-By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell.
+By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell.
### Turn on the GUI using the Add Roles and Features Wizard
@@ -61,9 +61,7 @@ In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
-In Windows Server 2019, the **Add Roles and Feature Wizard** looks like this:
-
-
+In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same.
### Turn on the GUI using PowerShell
@@ -73,30 +71,30 @@ The following PowerShell cmdlet will enable the interface:
Install-WindowsFeature -Name Windows-Defender-GUI
```
-## Install Windows Defender Antivirus on Windows Server 2016 or 2019
+## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019
-You can use either the **Add Roles and Features Wizard** or PowerShell to install Windows Defender Antivirus.
+You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus.
### Use the Add Roles and Features Wizard
1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
-2. When you get to the **Features** step of the wizard, select the Windows Defender Antivirus option. Also select the **GUI for Windows Defender** option.
+2. When you get to the **Features** step of the wizard, select the Microsoft Defender Antivirus option. Also select the **GUI for Windows Defender** option.
### Use PowerShell
-To use PowerShell to install Windows Defender Antivirus, run the following cmdlet:
+To use PowerShell to install Microsoft Defender Antivirus, run the following cmdlet:
```PowerShell
Install-WindowsFeature -Name Windows-Defender
```
-Event messages for the antimalware engine included with Windows Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
+Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender AV Events](troubleshoot-microsoft-defender-antivirus.md).
-## Verify Windows Defender Antivirus is running
+## Verify Microsoft Defender Antivirus is running
-To verify that Windows Defender Antivirus is running on your server, run the following PowerShell cmdlet:
+To verify that Microsoft Defender Antivirus is running on your server, run the following PowerShell cmdlet:
```PowerShell
Get-Service -Name windefend
@@ -108,17 +106,17 @@ To verify that firewall protection is turned on, run the following PowerShell cm
Get-Service -Name mpssvc
```
-As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender Antivirus is running. To do that, run the following command from a command prompt:
+As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt:
-```DOS
+```console
sc query Windefend
```
-The `sc query` command returns information about the Windows Defender Antivirus service. When Windows Defender Antivirus is running, the `STATE` value displays `RUNNING`.
+The `sc query` command returns information about the Microsoft Defender Antivirus service. When Microsoft Defender Antivirus is running, the `STATE` value displays `RUNNING`.
## Update antimalware Security intelligence
-In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage.
+In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods:
@@ -135,11 +133,11 @@ To ensure that protection from malware is maintained, we recommend that you enab
- Windows Update service
-The following table lists the services for Windows Defender Antivirus and the dependent services.
+The following table lists the services for Microsoft Defender Antivirus and the dependent services.
|Service Name|File Location|Description|
|--------|---------|--------|
-|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Microsoft Defender Antivirus service that needs to be running at all times.|
|Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.|
|Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.|
|Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
@@ -161,28 +159,28 @@ To enable automatic sample submission, start a Windows PowerShell console as an
|Setting |Description |
|---------|---------|
-|**0** Always prompt |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
-|**1** Send safe samples automatically |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
-|**2** Never send |The Windows Defender Antivirus service does not prompt and does not send any files. |
-|**3** Send all samples automatically |The Windows Defender Antivirus service sends all files without a prompt for confirmation. |
+|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
+|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
+|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
+|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
## Configure automatic exclusions
-To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019.
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019.
-See [Configure exclusions in Windows Defender Antivirus on Windows Server](configure-server-exclusions-windows-defender-antivirus.md).
+See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
-## Need to uninstall Windows Defender Antivirus?
+## Need to uninstall Microsoft Defender Antivirus?
-If you are using a third-party antivirus solution and you're running into issues with that solution and Windows Defender Antivirus, you can consider uninstalling Windows Defender Antivirus. Before you do that, review the following resources:
+If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources:
- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
-- See [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection.
+- See [Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection.
-If you determine you do want to uninstall Windows Defender Antivirus, follow the steps in the following sections.
+If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections.
-### Uninstall Windows Defender Antivirus using the Remove Roles and Features wizard
+### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard
1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
@@ -190,14 +188,14 @@ If you determine you do want to uninstall Windows Defender Antivirus, follow the
If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
- Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
+ Microsoft Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
-### Uninstall Windows Defender Antivirus using PowerShell
+### Uninstall Microsoft Defender Antivirus using PowerShell
>[!NOTE]
>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
-The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016 or 2019:
+The following PowerShell cmdlet will also uninstall Microsoft Defender AV on Windows Server 2016 or 2019:
```PowerShell
Uninstall-WindowsFeature -Name Windows-Defender
@@ -205,7 +203,7 @@ Uninstall-WindowsFeature -Name Windows-Defender
### Turn off the GUI using PowerShell
-To turn off the Windows Defender Antivirus GUI, use the following PowerShell cmdlet:
+To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:
```PowerShell
Uninstall-WindowsFeature -Name Windows-Defender-GUI
@@ -214,8 +212,8 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Configure exclusions in Microsoft Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
new file mode 100644
index 0000000000..0a396c5667
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@@ -0,0 +1,137 @@
+---
+title: Microsoft Defender Offline in Windows 10
+description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
+keywords: scan, defender, offline
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.reviewer:
+manager: dansimp
+---
+
+# Run and review the results of a Microsoft Defender Offline scan
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+
+You can use Microsoft Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
+
+In Windows 10, Microsoft Defender Offline can be run with one click directly from the [Windows Security app](microsoft-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Microsoft Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+
+## prerequisites and requirements
+
+Microsoft Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
+
+For more information about Windows 10 requirements, see the following topics:
+
+- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+
+- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
+
+> [!NOTE]
+> Microsoft Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
+
+To run Microsoft Defender Offline from the endpoint, the user must be logged in with administrator privileges.
+
+## Microsoft Defender Offline updates
+
+Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated.
+
+> [!NOTE]
+> Before running an offline scan, you should attempt to update Microsoft Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information.
+
+## Usage scenarios
+
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint.
+
+The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints.
+
+The prompt can occur via a notification, similar to the following:
+
+
+
+The user will also be notified within the Windows Defender client.
+
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
+
+Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+
+
+
+## Configure notifications
+
+
+Microsoft Defender Offline notifications are configured in the same policy setting as other Microsoft Defender AV notifications.
+
+For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) topic.
+
+## Run a scan
+
+> [!IMPORTANT]
+> Before you use Microsoft Defender Offline, make sure you save any files and shut down running programs. The Microsoft Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
+
+You can run a Microsoft Defender Offline scan with the following:
+
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- The Windows Security app
+
+
+
+### Use PowerShell cmdlets to run an offline scan
+
+Use the following cmdlets:
+
+```PowerShell
+Start-MpWDOScan
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to run an offline scan
+
+Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan.
+
+The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+
+```console
+wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+
+
+### Use the Windows Defender Security app to run an offline scan
+
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
+
+3. Select **Microsoft Defender Offline scan** and click **Scan now**.
+
+ > [!NOTE]
+ > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
+
+
+## Review scan results
+
+Microsoft Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history).
+
+
+## Related articles
+
+- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
similarity index 76%
rename from windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index 75d23d70dd..c2d53844a7 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Antivirus in the Windows Security app
-description: Windows Defender AV is now included in the Windows Security app.
+title: Microsoft Defender Antivirus in the Windows Security app
+description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -16,7 +16,7 @@ ms.reviewer:
manager: dansimp
---
-# Windows Defender Antivirus in the Windows Security app
+# Microsoft Defender Antivirus in the Windows Security app
**Applies to:**
@@ -27,8 +27,8 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
> [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
>This will significantly lower the protection of your device and could lead to malware infection.
@@ -52,22 +52,22 @@ The following diagrams compare the location of settings and functions between th
-
+
Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description
---|---|---|---
1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence)
2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed
3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission
-4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan
+4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan
5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option
## Common tasks
-This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app.
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Microsoft Defender Antivirus in the Windows Security app.
> [!NOTE]
-> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
+> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) topic describes how local policy override settings can be configured.
@@ -96,7 +96,7 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Check for updates** to download new protection updates (if there are any).
-### Ensure Windows Defender Antivirus is enabled in the Windows Security app
+### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -108,12 +108,12 @@ This section describes how to perform some of the most common tasks when reviewi
>[!NOTE]
>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
- >If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
+ >If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
-### Add exclusions for Windows Defender Antivirus in the Windows Security app
+### Add exclusions for Microsoft Defender Antivirus in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -130,14 +130,14 @@ The following table summarizes exclusion types and what happens:
|Exclusion type |Defined by |What happens |
|---------|---------|---------|
-|**File** |Location
Example: `c:\sample\sample.test` |The specific file is skipped by Windows Defender Antivirus. |
-|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. |
-|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Windows Defender Antivirus. |
-|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Windows Defender Antivirus. |
+|**File** |Location
Example: `c:\sample\sample.test` |The specific file is skipped by Microsoft Defender Antivirus. |
+|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
+|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
+|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
To learn more, see:
-- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus)
-- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus)
+- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
+- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
### Review threat detection history in the Windows Defender Security Center app
@@ -167,6 +167,6 @@ To learn more, see:
## Related articles
-- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
similarity index 75%
rename from windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index 77a5c15cf1..58f370b7dd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: "Better together - Windows Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats"
-description: "Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more."
+title: "Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats"
+description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more."
keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -19,22 +19,22 @@ ms.reviewer:
manager: dansimp
---
-# Better together: Windows Defender Antivirus and Office 365
+# Better together: Microsoft Defender Antivirus and Office 365
**Applies to:**
-- Windows Defender Antivirus
+- Microsoft Defender Antivirus
- Office 365
You might already know that:
-- **Windows Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Windows Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Windows Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+- **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
- **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing).
-**But did you know there are good security reasons to use Windows Defender Antivirus together with Office 365**? Here are two:
+**But did you know there are good security reasons to use Microsoft Defender Antivirus together with Office 365**? Here are two:
1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery).
@@ -44,11 +44,11 @@ Read the following sections to learn more.
## Ransomware protection and recovery
-When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
+When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.)
-2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.)
+2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.)
3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
similarity index 86%
rename from windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 52966241d0..3d058b3d8f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -25,9 +25,9 @@ ms.custom: nextgen
## Overview
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
-With tamper protection, malicious apps are prevented from taking actions like these:
+With tamper protection, malicious apps are prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
@@ -37,11 +37,10 @@ With tamper protection, malicious apps are prevented from taking actions like th
### How it works
- Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
+ Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows machine
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
-- and so on.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
@@ -60,7 +59,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
## Turn tamper protection on (or off) for an individual machine
> [!NOTE]
-> Tamper protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
>
> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
>
@@ -74,28 +73,28 @@ If you are a home user, or you are not subject to settings managed by a security
3. Set **Tamper Protection** to **On** or **Off**.
-Here's what you see in the Windows Security app:
+ Here's what you see in the Windows Security app:
-
+ 
## Turn tamper protection on (or off) for your organization using Intune
-If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
+If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
> [!NOTE]
-> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
+> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
-You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
+You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
+ - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
+ - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
+2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
3. Select **Device configuration** > **Profiles**.
@@ -113,10 +112,6 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
5. Assign the profile to one or more groups.
-Here's what you see in the Windows Security app:
-
-
-
### Are you using Windows OS 1709, 1803, or 1809?
If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
@@ -131,17 +126,17 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
## View information about tampering attempts
-Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
+Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
-When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
+Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
## Review your security recommendations
-Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
+Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
@@ -165,7 +160,7 @@ No
No. Third-party antivirus offerings will continue to register with the Windows Security application.
-### What happens if Windows Defender Antivirus is not active on a device?
+### What happens if Microsoft Defender Antivirus is not active on a device?
Tamper protection will not have any impact on such devices.
@@ -175,18 +170,18 @@ If you are a home user, see [Turn tamper protection on (or off) for an individua
If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
-### How does configuring tamper protection in Intune affect how I manage Windows Defender Antivirus through my group policy?
+### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
-Your regular group policy doesn’t apply to tamper protection, and changes to Windows Defender Antivirus settings are ignored when tamper protection is on.
+Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
>[!NOTE]
->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Windows Defender Antivirus settings.
-> Sample Windows Defender Antivirus settings:
-> Turn off Windows Defender Antivirus
+>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.
+> Sample Microsoft Defender Antivirus settings:
+> Turn off Microsoft Defender Antivirus
> Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
Value DisableAntiSpyware = 0
>Turn off real-time protection
-Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Real-time Protection\
+Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\
Value DisableRealtimeMonitoring = 0
### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
@@ -216,7 +211,7 @@ In this case, tamper protection status changes, and this feature is no longer ap
### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
-Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
+Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
In addition, your security operations team can use hunting queries, such as the following:
@@ -234,4 +229,4 @@ No.
[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
-[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-antivirus.md)
+[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
similarity index 65%
rename from windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index 8f6ebb3c64..18c0fdfc15 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Hide the Windows Defender Antivirus interface
+title: Hide the Microsoft Defender Antivirus interface
description: You can hide virus and threat protection tile in the Windows Security app.
keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
search.product: eADQiWindows 10XVcnh
@@ -17,17 +17,17 @@ ms.reviewer:
manager: dansimp
---
-# Prevent users from seeing or interacting with the Windows Defender Antivirus user interface
+# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans.
+You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.
-## Hide the Windows Defender Antivirus interface
+## Hide the Microsoft Defender Antivirus interface
-In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app.
+In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app.
With the setting set to **Enabled**:
@@ -38,13 +38,13 @@ With the setting set to **Disabled** or not configured:
>[!NOTE]
->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
-## Use Group Policy to hide the Windows Defender AV interface from users
+## Use Group Policy to hide the Microsoft Defender AV interface from users
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -52,11 +52,11 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
-See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
+See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
## Prevent users from pausing a scan
@@ -70,14 +70,14 @@ You can prevent users from pausing scans, which can be helpful to ensure schedul
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
## Related articles
-- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
index caea14600c..aa0b387ceb 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Monitor and report on Windows Defender Antivirus protection
-description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
-keywords: siem, monitor, report, windows defender av
+title: Monitor and report on Microsoft Defender Antivirus protection
+description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI.
+keywords: siem, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -17,28 +17,28 @@ ms.reviewer:
manager: dansimp
---
-# Report on Windows Defender Antivirus
+# Report on Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
+With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
-Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings.
+Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx).
-Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md).
These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server.
You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware).
-For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2).
+For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-microsoft-defender-antivirus.md#ref2).
## Related articles
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..325b0800ee
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@@ -0,0 +1,43 @@
+---
+title: Restore quarantined files in Microsoft Defender AV
+description: You can restore files and folders that were quarantined by Microsoft Defender AV.
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 05/20/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Restore quarantined files in Microsoft Defender AV
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
+
+1. Open **Windows Security**.
+2. Select **Virus & threat protection** and then click **Protection history**.
+3. In the list of all recent items, filter on **Quarantined Items**.
+4. Select an item you want to keep, and take an action, such as restore.
+
+> [!TIP]
+> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine).
+
+## Related articles
+
+- [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+- [Review scan results](review-scan-results-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
similarity index 66%
rename from windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index d0f31c4c8d..1e4a2b7142 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Review the results of Windows Defender AV scans
+title: Review the results of Microsoft Defender AV scans
description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
@@ -17,13 +17,13 @@ ms.reviewer:
manager: dansimp
---
-# Review Windows Defender Antivirus scan results
+# Review Microsoft Defender Antivirus scan results
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
+After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
## Use Microsoft Intune to review scan results
@@ -56,7 +56,7 @@ Get-MpThreat
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Use Windows Management Instruction (WMI) to review scan results
@@ -65,5 +65,5 @@ Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**]
## Related articles
-- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
similarity index 66%
rename from windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index f36197fe0f..a0fc81be46 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Run and customize on-demand scans in Windows Defender AV
+title: Run and customize on-demand scans in Microsoft Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
@@ -17,7 +17,7 @@ ms.reviewer:
manager: dansimp
---
-# Configure and run on-demand Windows Defender Antivirus scans
+# Configure and run on-demand Microsoft Defender Antivirus scans
**Applies to:**
@@ -30,7 +30,7 @@ You can run an on-demand scan on individual endpoints. These scans will start im
Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
@@ -50,7 +50,7 @@ Use the following `-scan` parameter:
```DOS
mpcmdrun.exe -scan -scantype 1
```
-See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
## Use Microsoft Intune to run a scan
@@ -61,7 +61,7 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen
## Use the Windows Security app to run a scan
-See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
+See [Run a scan in the Windows Security app](microsoft-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
## Use PowerShell cmdlets to run a scan
@@ -70,7 +70,7 @@ Use the following cmdlet:
```PowerShell
Start-MpScan
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Use Windows Management Instruction (WMI) to run a scan
@@ -82,6 +82,6 @@ See the following for more information and allowed parameters:
## Related articles
-- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
-- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index b2b391a114..a155de8626 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Schedule regular quick and full scans with Windows Defender AV
+title: Schedule regular quick and full scans with Microsoft Defender AV
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
@@ -17,19 +17,19 @@ ms.reviewer:
manager: dansimp
---
-# Configure scheduled quick or full Windows Defender Antivirus scans
+# Configure scheduled quick or full Microsoft Defender Antivirus scans
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!NOTE]
-> By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
+> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
-In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans.
+In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
-You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
+You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
@@ -41,11 +41,11 @@ To configure the Group Policy settings described in this topic:
4. Click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
-Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
+Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
## Quick scan versus full scan and custom scan
@@ -53,11 +53,11 @@ When you set up scheduled scans, you can set up whether the scan should be a ful
Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-microsoft-defender-antivirus.md).
A custom scan allows you to specify the files and folders to scan, such as a USB drive.
@@ -69,7 +69,7 @@ A custom scan allows you to specify the files and folders to scan, such as a USB
Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
>[!NOTE]
->If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time.
+>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
**Use Group Policy to schedule scans:**
@@ -78,7 +78,7 @@ Location | Setting | Description | Default setting (if not configured)
Scan | Specify the scan type to use for a scheduled scan | Quick scan
Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
-Root | Randomize scheduled task times |In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
+Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
**Use PowerShell cmdlets to schedule scans:**
@@ -92,7 +92,7 @@ Set-MpPreference -RandomizeScheduleTaskTimes
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
**Use Windows Management Instruction (WMI) to schedule scans:**
@@ -127,7 +127,7 @@ Use the following cmdlets:
Set-MpPreference -ScanOnlyIfIdleEnabled
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
**Use Windows Management Instruction (WMI):**
@@ -163,7 +163,7 @@ Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
**Use Windows Management Instruction (WMI):**
@@ -200,7 +200,7 @@ Use the following cmdlets:
Set-MpPreference -ScanScheduleQuickTime
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
**Use Windows Management Instruction (WMI) to schedule daily scans:**
@@ -217,7 +217,7 @@ See the following for more information and allowed parameters:
## Enable scans after protection updates
-You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy.
+You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy.
**Use Group Policy to schedule scans after protection updates**
@@ -232,9 +232,9 @@ Signature updates | Turn on scan after Security intelligence update | A scan wil
## Related topics
-- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md)
-- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
similarity index 69%
rename from windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index d04a0c0bd5..c6a20d3a13 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Specify cloud-delivered protection level in Windows Defender Antivirus
-description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus.
-keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+title: Specify cloud-delivered protection level in Microsoft Defender Antivirus
+description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus.
+keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -23,24 +23,24 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
+You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
>[!NOTE]
->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
## Use Intune to specify the level of cloud-delivered protection
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
+4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
5. On the **File Blocking Level** switch, select one of the following:
1. **High**: Applies a strong level of detection.
2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance).
3. **Zero tolerance**: Blocks all unknown executables.
-8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
+8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
@@ -59,10 +59,10 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
4. Click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- - **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- **Zero tolerance blocking level** blocks all unknown executables.
@@ -75,8 +75,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
## Related articles
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
similarity index 83%
rename from windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
index 8b02e56f61..75665404c2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender AV event IDs and error codes
-description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors
+title: Microsoft Defender AV event IDs and error codes
+description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -17,19 +17,19 @@ ms.reviewer:
manager: dansimp
---
-# Review event logs and error codes to troubleshoot issues with Windows Defender Antivirus
+# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
+If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
The tables list:
-- [Windows Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
-- [Windows Defender Antivirus client error codes](#error-codes)
-- [Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
+- [Microsoft Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
+- [Microsoft Defender Antivirus client error codes](#error-codes)
+- [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
> [!TIP]
> You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
@@ -39,18 +39,18 @@ The tables list:
> - Potentially unwanted application blocking
-## Windows Defender Antivirus event IDs
+## Microsoft Defender Antivirus event IDs
-Windows Defender Antivirus records event IDs in the Windows event log.
+Microsoft Defender Antivirus records event IDs in the Windows event log.
-You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender Antivirus client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Microsoft Defender Antivirus client event IDs](troubleshoot-microsoft-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
-The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
+The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
-## To view a Windows Defender Antivirus event
+## To view a Microsoft Defender Antivirus event
1. Open **Event Viewer**.
-2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
+2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Microsoft Defender Antivirus**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
@@ -324,7 +324,7 @@ Description of the error.
User action:
- Run the scan again. @@ -432,7 +432,7 @@ Message: Description:
- User: <Domain>\<User>
- Name: <Threat name> @@ -484,7 +484,7 @@ Message: Description:
- User: <Domain>\<User>
- Name: <Threat name> @@ -543,7 +543,7 @@ Message: Description:
- Name: <Threat name>
- ID: <Threat ID> @@ -587,7 +587,7 @@ Message: Description:
- Name: <Threat name>
- ID: <Threat ID> @@ -634,7 +634,7 @@ Message: Description:
For more information, see the following: +Microsoft Defender Antivirus has deleted an item from quarantine.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -677,7 +677,7 @@ Message: Description:
- Name: <Threat name> @@ -725,7 +725,7 @@ Message: Description:
- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User> @@ -756,7 +756,7 @@ The antimalware platform could not delete history of malware and other potential Description:
- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User> @@ -791,7 +791,7 @@ Message: Description:
For more information, see the following: +Microsoft Defender Antivirus has detected a suspicious behavior.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -868,7 +868,7 @@ Message: Description:
For more information, see the following: +Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -921,7 +921,7 @@ UAC User action:
For more information, see the following: +Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -1010,7 +1010,7 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version> NOTE: -Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
- Default Internet Explorer or Microsoft Edge setting
- User Access Control settings
- Chrome settings @@ -1049,7 +1049,7 @@ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se User action:
-
+Whenever Microsoft Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
For more information, see the following: +Microsoft Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -1144,7 +1144,7 @@ Description of the error. User action:
For more information, see the following: +Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -1239,7 +1239,7 @@ Description of the error. User action:
| Action | @@ -1302,7 +1302,7 @@ Symbolic name: Message:-Windows Defender Antivirus has deduced the hashes for a threat resource. +Microsoft Defender Antivirus has deduced the hashes for a threat resource. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
-Windows Defender Antivirus client is up and running in a healthy state.
+Microsoft Defender Antivirus client is up and running in a healthy state.
|
-Windows Defender Antivirus client is up and running in a healthy state.
+Microsoft Defender Antivirus client is up and running in a healthy state.
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported on an hourly basis. | -No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated. | ||||||
-Windows Defender Antivirus has encountered an error trying to update signatures.
+Microsoft Defender Antivirus has encountered an error trying to update signatures.
|
-Windows Defender Antivirus engine version has been updated.
+Microsoft Defender Antivirus engine version has been updated.
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated. | |||||||
-Windows Defender Antivirus has encountered an error trying to update the engine.
+Microsoft Defender Antivirus has encountered an error trying to update the engine.
|
-The Windows Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
To troubleshoot this event:
|
-Windows Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
+Microsoft Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
|
-The Windows Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender Antivirus will attempt to revert back to a known-good set of definitions.
+The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus will attempt to revert back to a known-good set of definitions.
To troubleshoot this event:
|
-Windows Defender Antivirus could not load antimalware engine because current platform version is not supported. Windows Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
+Microsoft Defender Antivirus could not load antimalware engine because current platform version is not supported. Microsoft Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
|
-Windows Defender Antivirus has encountered an error trying to update the platform.
+Microsoft Defender Antivirus has encountered an error trying to update the platform.
|
-Windows Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender Antivirus platform to maintain the best level of protection available.
+Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.
|
-Windows Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
+Microsoft Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
|
-Windows Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
+Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. |
-Windows Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
+Microsoft Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
|
-Windows Defender Antivirus discarded all Dynamic Signature Service signatures.
+Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.
|
-Windows Defender Antivirus downloaded a clean file.
+Microsoft Defender Antivirus downloaded a clean file.
|
-Windows Defender Antivirus has encountered an error trying to download a clean file.
+Microsoft Defender Antivirus has encountered an error trying to download a clean file.
|
Check your Internet connectivity settings. -The Windows Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. +The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. | |||||
| -Windows Defender Antivirus downloaded and configured offline antivirus to run on the next reboot. +Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot. | |||||||||
-Windows Defender Antivirus has encountered an error trying to download and configure offline antivirus.
+Microsoft Defender Antivirus has encountered an error trying to download and configure offline antivirus.
|
-The support for your operating system will expire shortly. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. +The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. | ||||||||
| -The support for your operating system has expired. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. +The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. | |||||||||
| -The support for your operating system has expired. Windows Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. +The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. | |||||||||
-Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
+Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
|
You should restart the system then run a full scan because it's possible the system was not protected for some time. -The Windows Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. +The Microsoft Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. | @@ -2310,7 +2310,7 @@ Message: Description:
-Windows Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
+Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
|
@@ -2357,7 +2357,7 @@ Message:
Description:
-Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled. +Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled. | ||||||
| -Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled. +Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled. | |||||||||
-Windows Defender Antivirus real-time protection feature configuration has changed.
+Microsoft Defender Antivirus real-time protection feature configuration has changed.
|
-Windows Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
+Microsoft Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
|
-Windows Defender Antivirus engine has been terminated due to an unexpected error.
+Microsoft Defender Antivirus engine has been terminated due to an unexpected error.
|
-The Windows Defender Antivirus client engine stopped due to an unexpected error.
+The Microsoft Defender Antivirus client engine stopped due to an unexpected error.
To troubleshoot this event:
|
-Windows Defender Antivirus scanning for malware and other potentially unwanted software has been enabled. +Microsoft Defender Antivirus scanning for malware and other potentially unwanted software has been enabled. | |||||
| -Windows Defender Antivirus scanning for malware and other potentially unwanted software is disabled. +Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled. | |||||||||
| -Windows Defender Antivirus scanning for viruses has been enabled. +Microsoft Defender Antivirus scanning for viruses has been enabled. | |||||||||
| -Windows Defender Antivirus scanning for viruses is disabled. +Microsoft Defender Antivirus scanning for viruses is disabled. | |||||||||
-Windows Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
+Microsoft Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
|
-Windows Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
+Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
|
| Resolution |
|
| Possible reason | -This error indicates that Windows Defender Antivirus failed to quarantine a threat. +This error indicates that Microsoft Defender Antivirus failed to quarantine a threat. |
| ERROR_MP_PLATFORM_OUTDATED | |
| Possible reason | -This error indicates that Windows Defender Antivirus does not support the current version of the platform and requires a new version of the platform. +This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform. |
| Resolution |
-You can only use Windows Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection. |
+You can only use Microsoft Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
Or,
+| Field | -Value | -
|---|---|
| Name | -Name for the Data Input | -Login URL | -URL to authenticate the azure app (Default : https://login.microsoftonline.com) | - -Endpoint | -Depending on the location of your datacenter, select any of the following URL: For EU: https://wdatp-alertexporter-eu.securitycenter.windows.comFor US: https://wdatp-alertexporter-us.securitycenter.windows.com For UK: https://wdatp-alertexporter-uk.securitycenter.windows.com
-
- |
| Tenant ID | -Azure Tenant ID | -Resource | -Value from the SIEM integration feature page | -
| Client ID | -Value from the SIEM integration feature page | -
| Client Secret | -Value from the SIEM integration feature page | -
- Windows 10 (all releases)
- Windows Server 2016 or later | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | -|Windows Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | -|Windows Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | +|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] > To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features. @@ -73,23 +73,19 @@ The following image shows an instance of unwanted software that was detected and ### Will EDR in block mode have any impact on a user's antivirus protection? -No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. +No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. -### Why do I need to keep Windows Defender Antivirus up to date? +### Why do I need to keep Microsoft Defender Antivirus up to date? -Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date. +Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. ### Why do we need cloud protection on? Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models. -### Can I participate in the preview of EDR in block mode? - -EDR in block mode is currently in limited private preview. If you would like to participate in this private preview program, send email to `shwjha@microsoft.com`. - ## Related articles [Behavioral blocking and containment](behavioral-blocking-containment.md) -[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) +[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 9115bc352e..2506f2934b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -12,30 +12,37 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/05/2020 +ms.date: 06/04/2020 ms.reviewer: manager: dansimp --- # Enable attack surface reduction rules -[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. +[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Each ASR rule contains three settings: +Each ASR rule contains one of three settings: -* Not configured: Disable the ASR rule -* Block: Enable the ASR rule -* Audit: Evaluate how the ASR rule would impact your organization if enabled +- Not configured: Disable the ASR rule +- Block: Enable the ASR rule +- Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. + +> [!TIP] +> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). You can enable attack surface reduction rules by using any of these methods: -* [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) -* [Group Policy](#group-policy) -* [PowerShell](#powershell) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. @@ -43,6 +50,8 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. +You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).) + > [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. > If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). @@ -50,7 +59,7 @@ You can exclude files and folders from being evaluated by most attack surface re You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. -ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). The following procedures for enabling ASR rules include instructions for how to exclude files and folders. @@ -60,9 +69,9 @@ The following procedures for enabling ASR rules include instructions for how to 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. -3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: +3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows: - *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path* + `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path` 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. @@ -72,23 +81,23 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules). -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules` -Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 +`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1` The values to enable, disable, or enable in audit mode are: -* Disable = 0 -* Block (enable ASR rule) = 1 -* Audit = 2 +- Disable = 0 +- Block (enable ASR rule) = 1 +- Audit = 2 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. Example: -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions` -Value: c:\path|e:\path|c:\Whitelisted.exe +`Value: c:\path|e:\path|c:\Whitelisted.exe` > [!NOTE] > Be sure to enter OMA-URI values without spaces. @@ -96,11 +105,16 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ## Microsoft Endpoint Configuration Manager 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. -1. Choose which rules will block or audit actions and click **Next**. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. + +2. Click **Home** > **Create Exploit Guard Policy**. + +3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. + +4. Choose which rules will block or audit actions and click **Next**. + +5. Review the settings and click **Next** to create the policy. + +6. After the policy is created, click **Close**. ## Group Policy @@ -111,17 +125,17 @@ Value: c:\path|e:\path|c:\Whitelisted.exe 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. -4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: +4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section. - * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - * Disable = 0 - * Block (enable ASR rule) = 1 - * Audit = 2 + - Disable = 0 + - Block (enable ASR rule) = 1 + - Audit = 2 -  +  5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. @@ -162,11 +176,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe > Set-MpPreference -AttackSurfaceReductionRules_Ids
variable.+
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 machines.
Ensure real-time antimalware protection is running properly. @@ -208,7 +208,7 @@ Ensure real-time antimalware protection is running properly.
variable.+
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 machines.
Ensure real-time antimalware protection is running properly. @@ -249,7 +249,7 @@ If the identifier does not persist, the same machine might appear twice in the p
variable.+
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 machines.
Supports [OData V4 queries](https://www.odata.org/documentation/). -
The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```incidentId```, ```InvestigationId```, ```status```, ```severity``` and ```category``` properties. +
The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index c0088b91f6..3313e63989 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -1,6 +1,6 @@ --- title: Get IP related alerts API -description: Retrieves a collection of alerts related to a given IP address. +description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, related, alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 9bc08c2680..5d0c64e02c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -1,6 +1,6 @@ --- title: Get IP statistics API -description: Retrieves the prevalence for the given IP. +description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, statistics, prevalence search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index 55e74662e6..f922b6a35e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -1,6 +1,6 @@ --- title: Get KB collection API -description: Retrieves a collection of KB's. +description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, kb search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 59e1357d2e..6c8f358205 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -1,6 +1,6 @@ --- title: Get machine log on users API -description: Retrieves a collection of logged on users. +description: Retrieve a collection of logged on users on a specific machine using Microsoft Defender ATP APIs. keywords: apis, graph api, supported apis, get, machine, log on, users search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -73,7 +73,7 @@ Here is an example of the request. [!include[Improve request performance](../../includes/improve-request-performance.md)] ``` -GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index c9883c2e4a..08f5fff7d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -1,6 +1,6 @@ --- title: List machineActions API -description: Use this API to create calls related to get machineactions collection +description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection. keywords: apis, graph api, supported apis, machineaction collection search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index 066146d158..04eec16b78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -46,6 +46,14 @@ To have your company listed as a partner in the in-product partner page, you wil 3. Provide a 15-word product description. 4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed. 5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application. +6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). + Follow these steps: + 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration. + - ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}` + - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}` + + 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature. + For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 0eaec5311d..b2e2bce19f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -1,6 +1,6 @@ --- title: Get user related alerts API -description: Retrieves a collection of alerts related to a given user ID. +description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, user, related, alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png index 7635b49f3e..50aaff6186 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png b/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png new file mode 100644 index 0000000000..3baa36a30e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png b/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png new file mode 100644 index 0000000000..0ecdbe5a2d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png new file mode 100644 index 0000000000..eb5819123e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png new file mode 100644 index 0000000000..f02cd3b7c4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png new file mode 100644 index 0000000000..cc46690248 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png new file mode 100644 index 0000000000..e9cb104a05 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png index 78d20dc4ee..6712c06845 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png index fda12c1b95..2977a16c2d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png and b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png b/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png new file mode 100644 index 0000000000..c477df78f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png index 5f76ba9386..316e3e0700 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png new file mode 100644 index 0000000000..68c1dcf142 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png new file mode 100644 index 0000000000..4275f94ded Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png new file mode 100644 index 0000000000..add1b5bd15 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png new file mode 100644 index 0000000000..cea5e255f5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png index 4b1576ec23..bcfd6506d9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png b/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png new file mode 100644 index 0000000000..e98bc4b89e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png index 8b37ac8a3a..f7d6472ba7 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png index 94c724f0c8..ef062f0c8e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png new file mode 100644 index 0000000000..9eeb6d31cd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png new file mode 100644 index 0000000000..706bd97b0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png new file mode 100644 index 0000000000..4e84bc76f1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png new file mode 100644 index 0000000000..437ee70e30 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index 47494dd290..ba6d70f4b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -61,7 +61,7 @@ For more information on these actions, see [Take response action on a file](resp The file details, incident, malware detection, and file prevalence cards display various attributes about the file. -You'll see details such as the file’s MD5, the Virus Total detection ratio, and Windows Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations. +You'll see details such as the file’s MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations.  diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md index ef0797f456..5d04bf7089 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -48,10 +48,10 @@ Process | A specific process (specified either by the full path or file name) an File, folder, and process exclusions support the following wildcards: -Wildcard | Description | Example | Matches ----|---|---|--- -\* | Matches any number of any characters including none | `/var/\*/\*.log` | `/var/log/system.log` -? | Matches any single character | `file?.log` | `file1.log`
`file2.log` +Wildcard | Description | Example | Matches | Does not match +---|---|---|---|--- +\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/\*/\*.log` | `/var/log/system.log` | `/var/log/nested/system.log` +? | Matches any single character | `file?.log` | `file1.log`
`file2.log` | `file123.log` ## How to configure the list of exclusions diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 250093e512..31656eeae6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -179,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ yum repolist + ... + packages-microsoft-com-prod packages-microsoft-com-prod 316 + packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2 + ... + + # install the package from the production repository + $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp + ``` + - SLES and variants: ```bash sudo zypper install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ zypper repos + ... + # | Alias | Name | ... + XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ... + XX | packages-microsoft-com-prod | microsoft-prod | ... + ... + + # install the package from the production repository + $ sudo zypper install packages-microsoft-com-prod:mdatp + ``` + - Ubuntu and Debian system: ```bash sudo apt-get install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ cat /etc/apt/sources.list.d/* + deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main + deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main + + # install the package from the production repository + $ sudo apt -t bionic install mdatp + ``` + ## Download the onboarding package Download the onboarding package from Microsoft Defender Security Center: @@ -276,6 +317,10 @@ Download the onboarding package from Microsoft Defender Security Center: See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## Uninstallation -See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. +See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index d097245cf8..34b6be737e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -255,6 +255,10 @@ Now run the tasks files under `/etc/ansible/playbooks/`. See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## References - [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 92c721fedf..3914bf58e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -207,6 +207,10 @@ If the product is not healthy, the exit code (which can be checked through `echo See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## Uninstallation Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md new file mode 100644 index 0000000000..7a7de6e01f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md @@ -0,0 +1,300 @@ +--- +title: Privacy for Microsoft Defender ATP for Linux +description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, privacy, diagnostic +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Privacy for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Linux. + +This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. + +## Overview of privacy controls in Microsoft Defender ATP for Linux + +This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux. + +### Diagnostic data + +Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. + +Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations. + +There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from: + +* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on. + +* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. + +By default, only required diagnostic data is sent to Microsoft. + +### Cloud delivered protection data + +Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud. + +Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. + +### Sample data + +Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional. + +There are three levels for controlling sample submission: + +- **None**: no suspicious samples are submitted to Microsoft. +- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting. +- **All**: all suspicious samples are submitted to Microsoft. + +## Manage privacy controls with policy settings + +If you're an IT administrator, you might want to configure these controls at the enterprise level. + +The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + +As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. + +## Diagnostic data events + +This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected. + +### Data fields that are common for all events +There is some information about events that is common to all events, regardless of category or data subtype. + +The following fields are considered common for all events: + +| Field | Description | +| ----------------------- | ----------- | +| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. | +| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | +| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | +| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| +| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | +| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | +| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. | + +### Required diagnostic data + +**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on. + +Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. + +#### Software setup and inventory data events + +**Microsoft Defender ATP installation / uninstallation** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| correlation_id | Unique identifier associated with the installation. | +| version | Version of the package. | +| severity | Severity of the message (for example Informational). | +| code | Code that describes the operation. | +| text | Additional information associated with the product installation. | + +**Microsoft Defender ATP configuration** + +The following fields are collected: + +| Field | Description | +| --------------------------------------------------- | ----------- | +| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. | +| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. | +| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. | +| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. | +| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. | +| cloud_service.service_uri | URI used to communicate with the cloud. | +| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | +| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). | +| edr.early_preview | Whether the machine should run EDR early preview features. | +| edr.group_id | Group identifier used by the detection and response component. | +| edr.tags | User-defined tags. | +| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | + +#### Product and service usage data events + +**Security intelligence update report** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| from_version | Original security intelligence version. | +| to_version | New security intelligence version. | +| status | Status of the update indicating success or failure. | +| using_proxy | Whether the update was done over a proxy. | +| error | Error code if the update failed. | +| reason | Error message if the update failed. | + +#### Product and service performance data events + +**Kernel extension statistics** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| version | Version of Microsoft Defender ATP for Linux. | +| instance_id | Unique identifier generated on kernel extension startup. | +| trace_level | Trace level of the kernel extension. | +| subsystem | The underlying subsystem used for real-time protection. | +| ipc.connects | Number of connection requests received by the kernel extension. | +| ipc.rejects | Number of connection requests rejected by the kernel extension. | +| ipc.connected | Whether there is any active connection to the kernel extension. | + +#### Support data + +**Diagnostic logs** + +Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: + +- All files under */var/log/microsoft/mdatp* +- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Microsoft Defender ATP for Linux +- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log* + +### Optional diagnostic data + +**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues. + +If you choose to send us optional diagnostic data, required diagnostic data is also included. + +Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product). + +#### Software setup and inventory data events + +**Microsoft Defender ATP configuration** + +The following fields are collected: + +| Field | Description | +| -------------------------------------------------- | ----------- | +| connection_retry_timeout | Connection retry time-out when communication with the cloud. | +| file_hash_cache_maximum | Size of the product cache. | +| crash_upload_daily_limit | Limit of crash logs uploaded daily. | +| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. | +| antivirus_engine.exclusions[].path | Path that was excluded from scanning. | +| antivirus_engine.exclusions[].extension | Extension excluded from scanning. | +| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. | +| antivirus_engine.scan_cache_maximum | Size of the product cache. | +| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. | +| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. | +| filesystem_scanner.full_scan_directory | Full scan directory. | +| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. | +| edr.latency_mode | Latency mode used by the detection and response component. | +| edr.proxy_address | Proxy address used by the detection and response component. | + +**Microsoft Auto-Update configuration** + +The following fields are collected: + +| Field | Description | +| --------------------------- | ----------- | +| how_to_check | Determines how product updates are checked (for example automatic or manual). | +| channel_name | Update channel associated with the device. | +| manifest_server | Server used for downloading updates. | +| update_cache | Location of the cache used to store updates. | + +### Product and service usage + +#### Diagnostic log upload started report + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| sha256 | SHA256 identifier of the support log. | +| size | Size of the support log. | +| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). | +| format | Format of the support log. | + +#### Diagnostic log upload completed report + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| request_id | Correlation ID for the support log upload request. | +| sha256 | SHA256 identifier of the support log. | +| blob_sas_uri | URI used by the application to upload the support log. | + +#### Product and service performance data events + +**Unexpected application exit (crash)** + +Unexpected application exits and the state of the application when that happens. + +**Kernel extension statistics** + +The following fields are collected: + +| Field | Description | +| ------------------------------ | ----------- | +| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. | +| pkt_ack_conn_timeout | | +| ipc.ack_pkts | | +| ipc.nack_pkts | | +| ipc.send.ack_no_conn | | +| ipc.send.nack_no_conn | | +| ipc.send.ack_no_qsq | | +| ipc.send.nack_no_qsq | | +| ipc.ack.no_space | | +| ipc.ack.timeout | | +| ipc.ack.ackd_fast | | +| ipc.ack.ackd | | +| ipc.recv.bad_pkt_len | | +| ipc.recv.bad_reply_len | | +| ipc.recv.no_waiter | | +| ipc.recv.copy_failed | | +| ipc.kauth.vnode.mask | | +| ipc.kauth.vnode.read | | +| ipc.kauth.vnode.write | | +| ipc.kauth.vnode.exec | | +| ipc.kauth.vnode.del | | +| ipc.kauth.vnode.read_attr | | +| ipc.kauth.vnode.write_attr | | +| ipc.kauth.vnode.read_ex_attr | | +| ipc.kauth.vnode.write_ex_attr | | +| ipc.kauth.vnode.read_sec | | +| ipc.kauth.vnode.write_sec | | +| ipc.kauth.vnode.take_own | | +| ipc.kauth.vnode.link | | +| ipc.kauth.vnode.create | | +| ipc.kauth.vnode.move | | +| ipc.kauth.vnode.mount | | +| ipc.kauth.vnode.denied | | +| ipc.kauth.vnode.ackd_before_deadline | | +| ipc.kauth.vnode.missed_deadline | | +| ipc.kauth.file_op.mask | | +| ipc.kauth_file_op.open | | +| ipc.kauth.file_op.close | | +| ipc.kauth.file_op.close_modified | | +| ipc.kauth.file_op.move | | +| ipc.kauth.file_op.link | | +| ipc.kauth.file_op.exec | | +| ipc.kauth.file_op.remove | | +| ipc.kauth.file_op.unmount | | +| ipc.kauth.file_op.fork | | +| ipc.kauth.file_op.create | | + +## Resources + +- [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md new file mode 100644 index 0000000000..b0cd02009a --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md @@ -0,0 +1,65 @@ +--- +title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux +description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, pua, pus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network. + +These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. + +These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. + +## How it works + +Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. + +When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application". + +## Configure PUA protection + +PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways: + +- **Off**: PUA protection is disabled. +- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product. +- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. A record of the infection is stored in the threat history and action is taken by the product. + +>[!WARNING] +>By default, PUA protection is configured in **Audit** mode. + +You can configure how PUA files are handled from the command line or from the management console. + +### Use the command-line tool to configure PUA protection: + +In Terminal, execute the following command to configure PUA protection: + +```bash +$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +``` + +### Use the management console to configure PUA protection: + +In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic. + +## Related topics + +- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 7e0983fb5f..af6fa6157c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -42,9 +42,16 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f Exclusion | Definition | Examples ---|---|--- File extension | All files with the extension, anywhere on the machine | `.test` -File | A specific file identified by the full path | `/var/log/test.log` -Folder | All files under the specified folder | `/var/log/` -Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat` +File | A specific file identified by the full path | `/var/log/test.log`
`/var/log/*.log`
`/var/log/install.?.log` +Folder | All files under the specified folder | `/var/log/`
`/var/*/` +Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t` + +File, folder, and process exclusions support the following wildcards: + +Wildcard | Description | Example | Matches | Does not match +---|---|---|---|--- +\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/\*/\*.log` | `/var/log/system.log` | `/var/log/nested/system.log` +? | Matches any single character | `file?.log` | `file1.log`
`file2.log` | `file123.log` ## How to configure the list of exclusions @@ -56,7 +63,7 @@ For more information on how to configure exclusions from JAMF, Intune, or anothe Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot: - + Select the type of exclusion that you wish to add and follow the prompts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index e633d8184f..ebaa93dac7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -1,6 +1,6 @@ --- -title: Manual deployment for Microsoft Defender ATP for Mac -description: Install Microsoft Defender ATP for Mac manually, from the command line. +title: Manual deployment for Microsoft Defender ATP for macOS +description: Install Microsoft Defender ATP for macOS manually, from the command line. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,65 +17,54 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Manual deployment for Microsoft Defender ATP for Mac +# Manual deployment for Microsoft Defender ATP for macOS **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md) -This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) - [Application installation](#application-installation) - [Client configuration](#client-configuration) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: 1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. +2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -  +  5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - $ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - $ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: MicrosoftDefenderATPOnboardingMacOs.py - ``` - + ## Application installation To complete this process, you must have admin privileges on the machine. 1. Navigate to the downloaded wdav.pkg in Finder and open it. -  +  2. Select **Continue**, agree with the License terms, and enter the password when prompted. -  +  > [!IMPORTANT] > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. -  +  3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: -  +  The installation proceeds. @@ -87,7 +76,7 @@ The installation proceeds. ## Client configuration -1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS. The client machine is not associated with orgId. Note that the *orgId* attribute is blank. @@ -111,7 +100,7 @@ The installation proceeds. After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. -  +  ## How to Allow Full Disk Access @@ -127,4 +116,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues) ## Uninstallation -See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 08235662b7..cf50d3ac04 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -63,7 +63,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). -  +  6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: @@ -110,11 +110,11 @@ You do not need any special provisioning for a Mac device beyond a standard [Com 1. Confirm device management. - + Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: - + 2. Select **Continue** and complete the enrollment. @@ -122,7 +122,7 @@ You may now enroll more devices. You can also enroll them later, after you have 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: - + ## Create System Configuration profiles @@ -131,7 +131,7 @@ You may now enroll more devices. You can also enroll them later, after you have 3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections. 4. Select **OK**. -  +  5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. 6. Repeat steps 1 through 5 for more profiles. @@ -306,7 +306,7 @@ You may now enroll more devices. You can also enroll them later, after you have Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: - + ## Publish application @@ -322,38 +322,38 @@ Once the Intune changes are propagated to the enrolled devices, you can see them > > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. -  +  7. Select **OK** and **Add**. -  +  8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. -  +  9. Change **Assignment type** to **Required**. 10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. -  +  11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: -  +  ## Verify client device state 1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device. - 
-  + 
+  2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune: -  +  3. You should also see the Microsoft Defender icon in the top-right corner: -  +  ## Troubleshooting diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index da29d3b4a2..32d0727488 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -65,7 +65,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. 5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. -  +  6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: @@ -108,7 +108,7 @@ To approve the kernel extension: 1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. 2. Use **UBF8T346G9** for Team Id. -  +  ### Privacy Preferences Policy Control @@ -124,7 +124,7 @@ Add the following JAMF policy to grant Full Disk Access to Microsoft Defender AT 3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`. 4. Set app or service to SystemPolicyAllFiles and access to Allow. -  +  #### Configuration Profile's Scope @@ -132,7 +132,7 @@ Configure the appropriate scope to specify the devices that will receive the con Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target. - + Save the **Configuration Profile**. @@ -152,7 +152,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific 1. Create a package in **Settings > Computer Management > Packages**. -  +  2. Upload the package to the Distribution Point. 3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_. @@ -161,7 +161,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific Your policy should contain a single package for Microsoft Defender. - + Configure the appropriate scope to specify the computers that will receive this policy. @@ -176,12 +176,12 @@ You'll need no special provisioning for a macOS computer, beyond the standard JA - Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - 
-  + 
+  After a moment, the device's User Approved MDM status will change to **Yes**. -  +  You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. @@ -196,17 +196,17 @@ You can monitor deployment status in the **Logs** tab: - **Pending** means that the deployment is scheduled but has not yet happened - **Completed** means that the deployment succeeded and is no longer scheduled - + ### Status on client device After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**. - + Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner. - + You can monitor policy installation on a device by following the JAMF log file: @@ -279,12 +279,12 @@ This script removes Microsoft Defender ATP from the /Applications directory: echo "Done!" ``` - + ### Policy Your policy should contain a single script: - + Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index ab118ea2ca..9add09b4df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -43,7 +43,7 @@ There are two levels of diagnostic data for Microsoft Defender ATP client softwa * **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. -By default, both optional and required diagnostic data are sent to Microsoft. +By default, only required diagnostic data is sent to Microsoft. ### Cloud delivered protection data @@ -127,6 +127,21 @@ The following fields are collected: | edr.tags | User-defined tags. | | features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | +#### Product and service usage data events + +**Security intelligence update report** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| from_version | Original security intelligence version. | +| to_version | New security intelligence version. | +| status | Status of the update indicating success or failure. | +| using_proxy | Whether the update was done over a proxy. | +| error | Error code if the update failed. | +| reason | Error message if the updated filed. | + #### Product and service performance data events **Kernel extension statistics** @@ -138,6 +153,7 @@ The following fields are collected: | version | Version of Microsoft Defender ATP for Mac. | | instance_id | Unique identifier generated on kernel extension startup. | | trace_level | Trace level of the kernel extension. | +| subsystem | The underlying subsystem used for real-time protection. | | ipc.connects | Number of connection requests received by the kernel extension. | | ipc.rejects | Number of connection requests rejected by the kernel extension. | | ipc.connected | Whether there is any active connection to the kernel extension. | @@ -259,7 +275,13 @@ The following fields are collected: | ipc.kauth.vnode.read_sec | | | ipc.kauth.vnode.write_sec | | | ipc.kauth.vnode.take_own | | +| ipc.kauth.vnode.link | | +| ipc.kauth.vnode.create | | +| ipc.kauth.vnode.move | | +| ipc.kauth.vnode.mount | | | ipc.kauth.vnode.denied | | +| ipc.kauth.vnode.ackd_before_deadline | | +| ipc.kauth.vnode.missed_deadline | | | ipc.kauth.file_op.mask | | | ipc.kauth_file_op.open | | | ipc.kauth.file_op.close | | @@ -268,6 +290,7 @@ The following fields are collected: | ipc.kauth.file_op.link | | | ipc.kauth.file_op.exec | | | ipc.kauth.file_op.remove | | +| ipc.kauth.file_op.unmount | | | ipc.kauth.file_op.fork | | | ipc.kauth.file_op.create | | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index bda42ad846..f7626685ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -87,6 +87,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| |Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | |Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| +|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` | |Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | |Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | |Health |Check the product's health |`mdatp --health` | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index bbf4825f45..04021812ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -29,7 +29,7 @@ Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it: -  +  You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device. @@ -56,7 +56,7 @@ If less than 30 minutes have passed since the product was installed, navigate to If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device: - + In this case, you need to perform the following steps to trigger the approval flow again. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 3d1a203e82..fccc1b4442 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -37,7 +37,7 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the user interface. Open Microsoft Defender ATP for Mac and navigate to **Manage settings**. -  +  - From the Terminal. For security purposes, this operation requires elevation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md index 33e4268575..782c6a98e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md @@ -27,7 +27,7 @@ Microsoft regularly publishes software updates to improve performance, security, To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. - + If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 57fde3cc75..b1deb73638 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -26,6 +26,14 @@ ms.topic: conceptual > > If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. +## 101.00.31 + +- Improved [product onboarding experience for Intune users](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos) +- Antivirus [exclusions now support wildcards](mac-exclusions.md#supported-exclusion-types) +- Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and select **Scan with Microsoft Defender ATP** +- In-place product downgrades are now explicitly disallowed by the installer. If you need to downgrade, first uninstall the existing version and reconfigure your device +- Other performance improvements & bug fixes + ## 100.90.27 - You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index adc8b53f70..e2f2b119a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -61,7 +61,7 @@ The report is made up of cards that display the following machine attributes: - **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen. -- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Windows Defender Antivirus. +- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Microsoft Defender Antivirus. - **OS platforms**: shows the distribution of OS platforms that exists within your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index daf8b70f1e..9da990fe57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -26,8 +26,8 @@ You can add tags on machines using the following ways: - Using the portal - Setting a registry key value ->[!NOTE] ->There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page. +> [!NOTE] +> There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page. To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags.md). @@ -71,6 +71,9 @@ You can also delete tags from this view. >- Windows 8.1 >- Windows 7 SP1 +> [!NOTE] +> The maximum number of characters that can be set in a tag is 200. + Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. Use the following registry key entry to add a tag on a machine: @@ -81,4 +84,5 @@ Use the following registry key entry to add a tag on a machine: >[!NOTE] >The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. - +> +> If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index fdd4146f99..930d43341f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -1,6 +1,6 @@ --- title: machineAction resource type -description: Retrieves top recent machineActions. +description: Quickly respond to detected attacks by isolating machines or collecting an investigation package. keywords: apis, supported apis, get, machineaction, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index e570e0634a..f243b53767 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -53,7 +53,13 @@ The risk level reflects the overall risk assessment of the machine based on a co ### Exposure level -The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. +The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your machines are less vulnerable from exploitation. + +If the exposure level says "No data available," there are a few reasons why this may be the case: + +- Device stopped reporting for more than 30 days – in that case it is considered inactive, and the exposure isn't computed +- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md) +- Device with stale agent (very unlikely) ### OS Platform diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 3c7b1fa724..531278a14a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -76,7 +76,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can * URL - wildcard supported * Command line - wildcard supported -3. Select the **Trigerring IOC**. +3. Select the **Triggering IOC**. 4. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index 9f02877b9e..c2f2dd8964 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -30,13 +30,13 @@ Indicator of compromise (IoCs) matching is an essential feature in every endpoin Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to. -Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV). +Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV). **Cloud detection engine**
The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC. **Endpoint prevention engine**
-The same list of indicators is honored by the prevention agent. Meaning, if Windows Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Windows Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Windows Defender AV will not detect nor block the file from being run. +The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run. **Automated investigation and remediation engine**
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad". @@ -70,7 +70,7 @@ There are two ways you can create indicators for files: ### Before you begin It's important to understand the following prerequisites prior to creating indicators for files: -- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later. - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. @@ -82,7 +82,7 @@ It's important to understand the following prerequisites prior to creating indic >[!NOTE] ->There may be up to 2 hours of latency (usually less) between the time the action is taken and the actual file being blocked. +>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. ### Create an indicator for files from the settings page @@ -153,14 +153,14 @@ It's important to understand the following prerequisites prior to creating indic You can create indicators for certificates. Some common use cases include: - Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list. -- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. +- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Microsoft Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. ### Before you begin It's important to understand the following requirements prior to creating indicators for certificates: -- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later. - The virus and threat protection definitions must be up-to-date. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index a4991649d4..b6eaffbafa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Microsoft Defender Advanced Threat Protection -description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise security platform that helps defend against advanced persistent threats. +description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats. keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,10 +23,10 @@ ms.topic: conceptual > > For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). -Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob] Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: @@ -67,6 +67,9 @@ Microsoft Defender ATP uses the following combination of technology built into W
+ + +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0] > [!TIP] > - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). @@ -84,7 +87,7 @@ The attack surface reduction set of capabilities provide the first line of defen -**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
+**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index b84dce1ebe..0a57598987 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -83,7 +83,7 @@ If you experience any installation failures, refer to [Troubleshooting installat - SUSE Linux Enterprise Server 12 or higher - Oracle Linux 7.2 or higher -- Minimum kernel version 2.6.38 +- Minimum kernel version 3.10.0-327 - The `fanotify` kernel option must be enabled > [!CAUTION] > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index baef5fe6ab..3bbf64e500 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -40,15 +40,23 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) +> [!NOTE] +> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. + +Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options: + +- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node) +- Microsoft Defender ATP for Servers (one per covered Server) + +> [!NOTE] +> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux. + For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559). -For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114). - - ## Browser requirements Access to Microsoft Defender ATP is done through a browser, supporting the following browsers: - Microsoft Edge @@ -165,25 +173,25 @@ For more information on additional proxy configuration settings, see [Configure Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. -## Windows Defender Antivirus configuration requirement -The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. +## Microsoft Defender Antivirus configuration requirement +The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them. -You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). -When Windows Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy. +When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy. -If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). +If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). > [!NOTE] -> Your regular group policy doesn't apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on. +> Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on. -For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled -If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard. +## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled +If you're running Microsoft Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard. -If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). +If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 26080c90cd..eb56826c55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -44,11 +44,11 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection. +Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection. -Windows 10 version | Windows Defender Antivirus +Windows 10 version | Microsoft Defender Antivirus -|- -Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled ## Review network protection events in the Microsoft Defender ATP Security Center diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 5b7477d473..30538a9a58 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -34,7 +34,8 @@ Offboard machine from Microsoft Defender ATP. [!include[Machine actions note](../../includes/machineactionsnote.md)] >[!Note] -> This does not support offboarding macOS Devices. +> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later. +> This API is not supported on MacOS or Linux devices. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index 51d5efdc49..b1e6285e7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -34,7 +34,7 @@ #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) -### [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +### [Next generation protection](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) ### [Endpoint detection and response]() @@ -72,7 +72,7 @@ ###### [Initiate Automated Investigation](respond-machine-alerts.md#initiate-automated-investigation) ###### [Initiate Live Response Session](respond-machine-alerts.md#initiate-live-response-session) ###### [Collect investigation package from machines](respond-machine-alerts.md#collect-investigation-package-from-machines) -###### [Run Windows Defender Antivirus scan on machines](respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) +###### [Run Microsoft Defender Antivirus scan on machines](respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines) ###### [Restrict app execution](respond-machine-alerts.md#restrict-app-execution) ###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) ###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center) @@ -158,7 +158,7 @@ ###### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md) ###### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md) ###### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) -##### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) +##### [Evaluate next generation protection](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md) ### [Access the Microsoft Defender Security Center Community Center](community.md) @@ -204,95 +204,95 @@ ### [Configure next generation protection]() -#### [Configure Windows Defender Antivirus features](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) +#### [Configure Microsoft Defender Antivirus features](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) #### [Utilize Microsoft cloud-delivered protection]() -##### [Understand cloud-delivered protection](../windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -##### [Enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) -##### [Specify the cloud-delivered protection level](../windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) -##### [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) -##### [Enable Block at first sight](../windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) -##### [Configure the cloud block timeout period](../windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) +##### [Understand cloud-delivered protection](../microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +##### [Enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) +##### [Specify the cloud-delivered protection level](../microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md) +##### [Configure and validate network connections](../microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md) +##### [Enable Block at first sight](../microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md) +##### [Configure the cloud block timeout period](../microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) #### [Configure behavioral, heuristic, and real-time protection]() -##### [Configuration overview](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) -##### [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -##### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) +##### [Configuration overview](../microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md) +##### [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) +##### [Enable and configure always-on protection and monitoring](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) -#### [Antivirus on Windows Server 2016](../windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) +#### [Antivirus on Windows Server 2016](../microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) #### [Antivirus compatibility]() -##### [Compatibility charts](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) -##### [Use limited periodic antivirus scanning](../windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) +##### [Compatibility charts](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +##### [Use limited periodic antivirus scanning](../microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md) #### [Deploy, manage updates, and report on antivirus]() -##### [Using Windows Defender Antivirus](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) +##### [Using Microsoft Defender Antivirus](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) ##### [Deploy and enable antivirus]() -###### [Preparing to deploy](../windows-defender-antivirus/deploy-windows-defender-antivirus.md) -###### [Deployment guide for VDI environments](../windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) +###### [Preparing to deploy](../microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md) +###### [Deployment guide for VDI environments](../microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) ##### [Report on antivirus protection]() -###### [Review protection status and aqlerts](../windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) -###### [Troubleshoot antivirus reporting in Update Compliance](../windows-defender-antivirus/troubleshoot-reporting.md) +###### [Review protection status and aqlerts](../microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) +###### [Troubleshoot antivirus reporting in Update Compliance](../microsoft-defender-antivirus/troubleshoot-reporting.md) ##### [Manage updates and apply baselines]() -###### [Learn about the different kinds of updates](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) -###### [Manage protection and Security intelligence updates](../windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) -###### [Manage when protection updates should be downloaded and applied](../windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) -###### [Manage updates for endpoints that are out of date](../windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) -###### [Manage event-based forced updates](../windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) -###### [Manage updates for mobile devices and VMs](../windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +###### [Learn about the different kinds of updates](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) +###### [Manage protection and Security intelligence updates](../microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) +###### [Manage when protection updates should be downloaded and applied](../microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) +###### [Manage updates for endpoints that are out of date](../microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) +###### [Manage event-based forced updates](../microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) +###### [Manage updates for mobile devices and VMs](../microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) #### [Customize, initiate, and review the results of scans and remediation]() -##### [Configuration overview](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +##### [Configuration overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ##### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -###### [Configure antivirus exclusions Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure antivirus exclusions Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -##### [Configure antivirus scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) -##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md) +##### [Configure antivirus scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) +##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) +##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) +##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) +##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md) -#### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +#### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) #### [Manage antivirus in your business]() -##### [Management overview](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -##### [Use Group Policy settings to configure and manage antivirus](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -##### [Use PowerShell cmdlets to configure and manage antivirus](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) +##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) +##### [Use Group Policy settings to configure and manage antivirus](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) +##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +##### [Use PowerShell cmdlets to configure and manage antivirus](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) +##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) +##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) #### [Manage scans and remediation]() -##### [Management overview](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +##### [Management overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ##### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -###### [Configure antivirus exclusions on Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure antivirus exclusions on Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -##### [Configure scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) -##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md) -##### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +##### [Configure scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) +##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) +##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) +##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) +##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md) +##### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) #### [Manage next generation protection in your business]() -##### [Management overview](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -##### [Use Group Policy settings to manage next generation protection](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -##### [Use PowerShell cmdlets to manage next generation protection](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) +##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) +##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +##### [Use Group Policy settings to manage next generation protection](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) +##### [Use PowerShell cmdlets to manage next generation protection](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) +##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) +##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) @@ -525,4 +525,4 @@ #### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md) -### [Troubleshoot next generation protection issues](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) +### [Troubleshoot next generation protection issues](../microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index 5ac688bcec..8e7680a3be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -51,7 +51,7 @@ Microsoft Defender ATP integrates with System Center Endpoint Protection to prov The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting -- Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud) +- Configure your network to allow connections to the Microsoft Defender Antivirus cloud. For more information, see [Allow connections to the Microsoft Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud) ## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md index 0534d30935..1f798a3ece 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md @@ -30,14 +30,17 @@ To onboard machines without Internet access, you'll need to take the following g Windows Server 2016 and earlier or Windows 8.1 and earlier. > [!NOTE] -> An OMS gateway server can still be used as proxy for disconnected Windows 10 machines when configured via 'TelemetryProxyServer' registry or GPO. +> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO. +> - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance. +> - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server. +> - For more information about updating CTLs offline, see (Configure a file or web server to download the CTL files)[https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files]. -For more information, see the following articles: +For more information about onboarding methods, see the following articles: - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel) - [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) - [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy) -## On-premise machines +## On-premises machines - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index c304bcfd54..37c447d3fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -30,7 +30,7 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best Topic | Description :---|:--- [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. -[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. +[Configure next generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. [Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. [Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index d5613256d1..15f9de0423 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -95,7 +95,7 @@ below to onboard systems with Configuration Manager.  -7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**. +7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.  @@ -179,108 +179,45 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W 3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. -Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed. +4. Install the Microsoft Monitoring Agent (MMA).
+ MMA is currently (as of January 2019) supported on the following Windows Operating + Systems: -Edit the InstallMMA.cmd with a text editor, such as notepad and update the -following lines and save the file: + - Server SKUs: Windows Server 2008 SP1 or Newer -  + - Client SKUs: Windows 7 SP1 and later -Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file: + The MMA agent will need to be installed on Windows devices. To install the + agent, some systems will need to download the [Update for customer experience + and diagnostic + telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + in order to collect the data with MMA. These system versions include but may not + be limited to: -  + - Windows 8.1 -Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating -Systems: + - Windows 7 -- Server SKUs: Windows Server 2008 SP1 or Newer + - Windows Server 2016 -- Client SKUs: Windows 7 SP1 and later + - Windows Server 2012 R2 -The MMA agent will need to be installed on Windows devices. To install the -agent, some systems will need to download the [Update for customer experience -and diagnostic -telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) -in order to collect the data with MMA. These system versions include but may not -be limited to: + - Windows Server 2008 R2 -- Windows 8.1 + Specifically, for Windows 7 SP1, the following patches must be installed: -- Windows 7 + - Install + [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) -- Windows Server 2016 + - Install either [.NET Framework + 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or + later) **or** + [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). + Do not install both on the same system. -- Windows Server 2012 R2 +5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. -- Windows Server 2008 R2 - -Specifically, for Windows 7 SP1, the following patches must be installed: - -- Install - [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - -- Install either [.NET Framework - 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or - later) **or** - [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). - Do not install both on the same system. - -To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps -below to utilize the provided batch files to onboard the systems. The CMD file -when executed, will require the system to copy files from a network share by the -System, the System will install MMA, Install the DependencyAgent, and configure -MMA for enrollment into the workspace. - - -1. In Microsoft Endpoint Configuration Manager console, navigate to **Software - Library**. - -2. Expand **Application Management**. - -3. Right-click **Packages** then select **Create Package**. - -4. Provide a Name for the package, then click **Next** - -  - -5. Verify **Standard Program** is selected. - -  - -6. Click **Next**. - -  - -7. Enter a program name. - -8. Browse to the location of the InstallMMA.cmd. - -9. Set Run to **Hidden**. - -10. Set **Program can run** to **Whether or not a user is logged on**. - -11. Click **Next**. - -12. Set the **Maximum allowed run time** to 720. - -13. Click **Next**. - -  - -14. Verify the configuration, then click **Next**. - -  - -15. Click **Next**. - -16. Click **Close**. - -17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP - Onboarding Package just created and select **Deploy**. - -18. On the right panel select the appropriate collection. - -19. Click **OK**. +Once completed, you should see onboarded endpoints in the portal within an hour. ## Next generation protection Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. @@ -297,7 +234,7 @@ Microsoft Defender Antivirus is a built-in antimalware solution that provides ne needs on how Antivirus is configured. - [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) + [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 4fda24160f..e949cd7986 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -27,14 +27,18 @@ ms.topic: conceptual Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. + +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug] + + Article | Description -|- -[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus). -[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. +[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus). +[Hardware-based isolation](../microsoft-defender-application-guard/md-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. [Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. -[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) +[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus) [Web protection](./web-protection-overview.md) | Secure your machines against web threats and help you regulate unwanted content. -[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) +[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus) [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. [Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 261734d68b..0d13fe8b36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -28,6 +28,8 @@ Microsoft Defender ATP endpoint detection and response capabilities provide adva When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4o1j5] + Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. The response capabilities give you the power to promptly remediate threats by acting on the affected entities. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md index 344d125399..7b7ae31f81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md @@ -25,6 +25,6 @@ Hardware-based isolation helps protect system integrity in Windows 10 and is int | Feature | Description | |------------|-------------| -| [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. | +| [Windows Defender Application Guard](../microsoft-defender-application-guard/md-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. | | [Windows Defender System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index db2e81192e..96e8c08aa9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -42,7 +42,7 @@ When you open the portal, you'll see:  > [!NOTE] -> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product. +> Malware related detections will only appear if your machines are using Microsoft Defender Antivirus as the default real-time protection antimalware product. You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. @@ -81,7 +81,7 @@ Icon | Description | Not remediated – Threat not removed from the machine. | Indicates events that triggered an alert in the **Alert process tree**. | Machine icon -| Windows Defender Antivirus events +| Microsoft Defender Antivirus events | Windows Defender Application Guard events | Windows Defender Device Guard events | Windows Defender Exploit Guard events diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index 83b69c2140..343d68bc0f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -172,7 +172,7 @@ how the endpoint security suite should be enabled. |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| | Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | |Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 | -| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). |3 | +| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 | | Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 | | Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable | | Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable | diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index a92e6a198a..8eb9582866 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -29,6 +29,9 @@ The Microsoft Defender ATP service is constantly being updated to include new fe Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +>[!TIP] +>Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us` + For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md). ## Turn on preview features @@ -44,6 +47,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: +- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. + - [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates. - [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux. diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 0c0a59b197..fc6cb7176a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -144,6 +144,9 @@ Appendix section in this document for the URLs Whitelisting or on [Microsoft Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). +> [!NOTE] +> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus). + **Manual static proxy configuration:** - Registry based configuration @@ -198,9 +201,9 @@ Use netsh to configure a system-wide static proxy. 1. Open an elevated command-line: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. 2. Enter the following command and press **Enter**: @@ -228,7 +231,7 @@ needed if the machine is on Windows 10, version 1803 or later. Service location | Microsoft.com DNS record -|- -Common URLs for all locations | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` +Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```
```ctldl.windowsupdate.com```
```www.microsoft.com/pkiops/*```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```usseu1northprod.blob.core.windows.net```
```usseu1westprod.blob.core.windows.net```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
```wseu1northprod.blob.core.windows.net```
```wseu1westprod.blob.core.windows.net``` United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```ussuk1southprod.blob.core.windows.net```
```ussuk1westprod.blob.core.windows.net```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
```wsuk1southprod.blob.core.windows.net```
```wsuk1westprod.blob.core.windows.net``` United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net``` @@ -253,9 +256,9 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). > [!NOTE] -> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. +> As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting. ## Next step ||| |:-------|:-----| -|
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them +|
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender ATP service can get sensor data from them. diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index f2c30ec2e4..c55c6e231f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -27,8 +27,9 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API. diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 9213bd067e..408df1d9a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -62,7 +62,7 @@ You can contain an attack in your organization by stopping the malicious process > > - The machine you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft -> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +> - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys. @@ -136,7 +136,7 @@ You can prevent further propagation of an attack in your organization by banning >[!IMPORTANT] > ->- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +>- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). > >- The Antimalware client version must be 4.18.1901.x or later. >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. @@ -211,7 +211,7 @@ Results of deep analysis are matched against threat intelligence and any matches Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis. diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index a6b23d0ed7..7d64a9e1f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -110,19 +110,19 @@ The package contains the following folders: |WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab | | CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. | -## Run Windows Defender Antivirus scan on machines +## Run Microsoft Defender Antivirus scan on machines As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. >[!IMPORTANT] >- This action is available for machines on Windows 10, version 1709 or later. ->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +>- A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender AV is the active antivirus solution or not. Microsoft Defender AV can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan.  -The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan. +The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan. ## Restrict app execution @@ -130,7 +130,7 @@ In addition to containing an attack by stopping malicious processes, you can als >[!IMPORTANT] > - This action is available for machines on Windows 10, version 1709 or later. -> - This feature is available if your organization uses Windows Defender Antivirus. +> - This feature is available if your organization uses Microsoft Defender Antivirus. > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index 10a0f81607..3df06ec29a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -24,7 +24,7 @@ ms.topic: article ## API description -Initiate Windows Defender Antivirus scan on a machine. +Initiate Microsoft Defender Antivirus scan on a machine. ## Limitations diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 2251ec4e49..b3955f8794 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -30,20 +30,20 @@ ms.topic: article Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. -1. Create a folder: 'C:\test-WDATP-test'. +1. Create a folder: 'C:\test-MDATP-test'. 2. Open an elevated command-line prompt on the machine and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command Prompt** and select **Run as administrator**. + 1. Right-click **Command Prompt** and select **Run as administrator**. -  +  3. At the prompt, copy and run the following command: - ``` - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe' - ``` + ```powershell + powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' + ``` The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md index e473635682..2dfdb89168 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md @@ -39,7 +39,7 @@ Run antivirus scan | Remotely initiate an antivirus scan to help identify and re Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. Request sample | Run this call to request a sample of a file from a specific machine. The file will be collected from the machine and uploaded to a secure storage. Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. -Unblock file | Allow a file run in the organization using Windows Defender Antivirus. +Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. Get package SAS URI | Run this to get a URI that allows downloading an investigation package. Get MachineAction object | Run this to get MachineAction object. Get MachineActions collection | Run this to get MachineAction collection. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 8e4d732734..8342b664ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -1,6 +1,6 @@ --- title: Indicator resource type -description: Indicator entity description. +description: Specify the entity details and define the expiration of the indicator using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, supported apis, get, TiIndicator, Indicator, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index ed130a1720..8f87ff3707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -46,9 +46,9 @@ Attack surface reduction rules will only work on devices with the following cond - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update). -- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -- [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. +- [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md index 31804e546b..ea417b545a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md @@ -42,7 +42,7 @@ See the topic [Review events and errors using Event Viewer](event-error-codes.md If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. -For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). +For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). ## Known issues with regional formats diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 9c2e5cfdff..12ce265639 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -43,9 +43,9 @@ Network protection will only work on devices with the following conditions: >[!div class="checklist"] > * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). -> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). -> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. -> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. +> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. +> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. > * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). ## Use audit mode diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 56a0d71130..0628b4a46e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -88,5 +88,4 @@ crl.microsoft.com` - `https://static2.sharepointonline.com` -## Related topics -- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 7d6e7647cc..c8c682d83f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -71,7 +71,7 @@ Event ID | Error Type | Resolution steps 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
Verify that the script has been run as an administrator. 15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. -15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. +15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). 40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). @@ -131,7 +131,7 @@ If the deployment tools used does not indicate an error in the onboarding proces - [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) - [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection) -- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) +- [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) ### View agent onboarding errors in the machine event log @@ -244,7 +244,7 @@ To ensure that sensor has service connectivity, follow the steps described in th If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic. -### Ensure that Windows Defender Antivirus is not disabled by a policy +### Ensure that Microsoft Defender Antivirus is not disabled by a policy **Problem**: The Microsoft Defender ATP service does not start after onboarding. **Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service. @@ -267,7 +267,7 @@ If the verification fails and your environment is using a proxy to connect to th 1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```. 2. Ensure that the value ```DisableAntiSpyware``` is not present. -  +  ## Troubleshoot onboarding issues on a server diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 0305625c65..023e88ad09 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -49,26 +49,7 @@ You can remediate the issues based on prioritized [security recommendations](tvm ## Reduce your threat and vulnerability exposure -To lower your threat and vulnerability exposure, follow these steps. - -1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) and select an item on the list. - -  - - Always prioritize recommendations that are associated with ongoing threats: - - -  Threat insight icon - -  Active alert icon - -2. The **Security recommendations** page will open, and a flyout for the recommendation you selected will open. The flyout panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Select **Open software page** option from the flyout panel.  - -3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities.  - -4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details.  - -5. Allow a few hours for the changes to propagate in the system. - -6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases. +Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index c3e900103b..16f53d738f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -85,7 +85,7 @@ Select the security recommendation that you want to investigate or process. From the flyout, you can do any of the following: -- **Open software page** - Open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-support, and charts of the exposure trend over time. +- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. - **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index 2f1c8da158..7ac4761b32 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -23,8 +23,6 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -[!include[Prerelease information](../../includes/prerelease.md)] - Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it. ## How it works @@ -60,7 +58,7 @@ Once you are in the Software inventory page and have opened the flyout panel by ## Software evidence -We now show evidence of where we detected a specific software on a machine from the registry, disk or both machine on where we detected a certain software. +We now show evidence of where we detected a specific software on a machine from the registry, disk or both. You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence." From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. @@ -88,4 +86,4 @@ You can report a false positive when you see any vague, inaccurate version, inco - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](threat-and-vuln-mgt-scenarios.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 2d474782f2..963c08c5ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -1,6 +1,6 @@ --- title: What's new in Microsoft Defender ATP -description: Lists the new features and functionality in Microsoft Defender ATP +description: See what features are generally available (GA) in the latest release of Microsoft Defender ATP, as well as security features in Windows 10 and Windows Server. keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -27,8 +27,13 @@ The following features are generally available (GA) in the latest release of Mic For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). -RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: -`https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us` + +> [!TIP] +> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: +> +> ```https +> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us +> ``` ## April 2020 @@ -58,7 +63,7 @@ RSS feed: Get notified when this page is updated by copying and pasting the foll ## September 2019 -- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). +- [Tamper Protection settings using Intune](../microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune). - [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time. @@ -122,10 +127,10 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe - Block Adobe Reader from creating child processes - Block Office communication application from creating child processes. -- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) +- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/). - - Windows Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security. - - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans. + - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/microsoft-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security. + - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans. @@ -161,9 +166,9 @@ You can now block untrusted processes from writing to disk sectors using Control Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. -- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
-Windows Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). +- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
+Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). - Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus). + Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 973fe53199..f13b6bff37 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -51,7 +51,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites - **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). -- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md). > [!IMPORTANT] > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 3f0c5a6304..6356278506 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -35,17 +35,17 @@ This topic provides an overview of some of the software and firmware threats fac ## The security threat landscape -Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. +Today's security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker's motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to: -- Eliminate entire classes of vulnerabilities +- Eliminate entire classes of vulnerabilities -- Break exploitation techniques +- Break exploitation techniques -- Contain the damage and prevent persistence +- Contain the damage and prevent persistence -- Limit the window of opportunity to exploit +- Limit the window of opportunity to exploit The following sections provide more detail about security mitigations in Windows 10, version 1703. @@ -59,14 +59,14 @@ Windows 10 mitigations that you can configure are listed in the following two ta |---|---| | **Windows Defender SmartScreen**
helps prevent
malicious applications
from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic | | **Credential Guard**
helps keep attackers
from gaining access through
Pass-the-Hash or
Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) | -| **Enterprise certificate pinning**
helps prevent
man-in-the-middle attacks
that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) | -| **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) | -| **Windows Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic | -| **Blocking of untrusted fonts**
helps prevent fonts
from being used in
elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | +| **Enterprise certificate pinning**
helps prevent
man-in-the-middle attacks
that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) | +| **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) | +| **Microsoft Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox antimalware solution. Microsoft Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic | +| **Blocking of untrusted fonts**
helps prevent fonts
from being used in
elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | | **Memory protections**
help prevent malware
from using memory manipulation
techniques such as buffer
overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.
**More information**: [Table 2](#table-2), later in this topic | -| **UEFI Secure Boot**
helps protect
the platform from
bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | +| **UEFI Secure Boot**
helps protect
the platform from
boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | | **Early Launch Antimalware (ELAM)**
helps protect
the platform from
rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.
**More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) | -| **Device Health Attestation**
helps prevent
compromised devices from
accessing an organization’s
assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.
**More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) | +| **Device Health Attestation**
helps prevent
compromised devices from
accessing an organization's
assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device's actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.
**More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](https://docs.microsoft.com/windows-server/security/device-health-attestation) | Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly. @@ -84,47 +84,47 @@ As an IT professional, you can ask application developers and software vendors t Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads. -For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. +For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they're about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. For more information, see [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). -### Windows Defender Antivirus +### Microsoft Defender Antivirus -Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware: +Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware: -- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. +- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. -- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content. +- **Rich local context** improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content. -- **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. +- **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. -- **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) +- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) -- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution. +- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class antimalware solution. -For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). +For more information, see [Windows Defender in Windows 10](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://docs.microsoft.com/windows-server/security/windows-defender/windows-defender-overview-windows-server). For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). ### Data Execution Prevention -Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? +Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? -Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability exploit. +Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted by means of a vulnerability exploit. **To use Task Manager to see apps that use DEP** -1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. +1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. 2. Click **More Details** (if necessary), and then click the **Details** tab. -3. Right-click any column heading, and then click **Select Columns**. +3. Right-click any column heading, and then click **Select Columns**. -4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. +4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. -5. Click **OK**. +5. Click **OK**. You can now see which processes have DEP enabled. @@ -138,19 +138,19 @@ You can use Control Panel to view or change DEP settings. #### To use Control Panel to view or change DEP settings on an individual PC -1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. +1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. -2. Click **Advanced system settings**, and then click the **Advanced** tab. +2. Click **Advanced system settings**, and then click the **Advanced** tab. -3. In the **Performance** box, click **Settings**. +3. In the **Performance** box, click **Settings**. -4. In **Performance Options**, click the **Data Execution Prevention** tab. +4. In **Performance Options**, click the **Data Execution Prevention** tab. -5. Select an option: +5. Select an option: - - **Turn on DEP for essential Windows programs and services only** + - **Turn on DEP for essential Windows programs and services only** - - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. + - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. #### To use Group Policy to control DEP settings @@ -158,7 +158,7 @@ You can use the Group Policy setting called **Process Mitigation Options** to co ### Structured Exception Handling Overwrite Protection -Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. +Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). @@ -174,13 +174,13 @@ Address Space Layout Randomization (ASLR) makes that type of attack much more di Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. -You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). +You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings ("Force ASLR" and "Bottom-up ASLR"), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). ## Mitigations that are built in to Windows 10 Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. -Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. +Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. ### Table 3 Windows 10 mitigations to protect against memory exploits – no configuration needed @@ -191,29 +191,29 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within | **Universal Windows apps protections**
screen downloadable
apps and run them in
an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.
**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | | **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | | **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | -| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | +| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | | **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. | ### SMB hardening improvements for SYSVOL and NETLOGON shares -In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts. +In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won't process domain-based Group Policy and scripts. > [!NOTE] -> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). +> The registry values for these settings aren't present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://msrc-blog.microsoft.com/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). ### Protected Processes Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type. -With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. +With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://docs.microsoft.com/windows/win32/services/protecting-anti-malware-services-). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. ### Universal Windows apps protections -When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. +When users download Universal Windows apps from the Microsoft Store, it's unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. -In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. +In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app's age rating and publisher. ### Windows heap protections @@ -221,29 +221,29 @@ The *heap* is a location in memory that Windows uses to store dynamic applicatio Windows 10 has several important improvements to the security of the heap: -- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. +- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. -- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. +- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. -- **Heap guard pages** before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. +- **Heap guard pages** before and after blocks of memory, which work as trip wires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. ### Kernel pool protections -The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. +The operating system kernel in Windows sets aside two pools of memory, one which remains in physical memory ("nonpaged pool") and one which can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. In addition to pool hardening, Windows 10 includes other kernel hardening features: -- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. +- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. -- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx). +- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation). -- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) +- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) -- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. +- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the "supervisor") from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. -- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination. +- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the "FastFail" mechanism to enable rapid and safe process termination. -- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory. +- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory. ### Control Flow Guard @@ -251,31 +251,31 @@ When applications are loaded into memory, they are allocated space based on the This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. -An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx). +An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://docs.microsoft.com/windows/win32/secbp/control-flow-guard). Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. ### Microsoft Edge and Internet Explorer 11 -Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. +Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: -- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. +- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. -- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. +- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. -- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. +- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. -- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. +- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. -- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. +- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. -For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. +For sites that require IE11 compatibility, including those that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. ### Functions that software vendors can use to build mitigations into apps @@ -288,21 +288,21 @@ Some of the protections available in Windows 10 are provided through functions t | Mitigation | Function | |-------------|-----------| -| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | -| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | -| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | -| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
\[ProcessSignaturePolicy\] | -| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
\[ProcessSystemCallDisablePolicy\] | -| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | -| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | -| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | -| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | +| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | +| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | +| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | +| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
\[ProcessSignaturePolicy\] | +| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
\[ProcessSystemCallDisablePolicy\] | +| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | +| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | +| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | +| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | ## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit -You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. +You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. -Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)). +Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)). The following table lists EMET features in relation to Windows 10 features. @@ -337,7 +337,7 @@ to Windows 10 features
Null Page
-
@@ -352,9 +352,9 @@ to Windows 10 features
Caller Check
Simulate Execution Flow
Stack Pivot
-Deep Hooks (an ROP “Advanced Mitigation”)
-Anti Detours (an ROP “Advanced Mitigation”)
-Banned Functions (an ROP “Advanced Mitigation”)
+Deep Hooks (an ROP "Advanced Mitigation")
+Anti Detours (an ROP "Advanced Mitigation")
+Banned Functions (an ROP "Advanced Mitigation")
|Yes |No |Yes |Yes |Yes | -|Passive mode |No |No |Yes |No |Yes | -|[EDR in block mode enabled](shadow-protection.md) |No |No |Yes |Yes |Yes | -|Automatic disabled mode |No |Yes |No |No |No | - -- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). -- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. -- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. -- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. - -## Keep the following points in mind - -If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. - -When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. - -In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - -If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode. - -> [!WARNING] -> You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md). - - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) -- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md deleted file mode 100644 index 79ba16ef12..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 -description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 -keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 02/25/2020 -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -## Windows Defender Antivirus: Your next-generation protection - -Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: - -- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-windows-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. -- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. -- [Dedicated protection and product updates](manage-updates-baselines-windows-defender-antivirus.md). This includes updates related to keeping Windows Defender Antivirus up to date. - -## Try a demo! - -Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: -- Cloud-delivered protection -- Block at first sight (BAFS) protection -- Potentially unwanted applications (PUA) protection - -## Minimum system requirements - -Windows Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: - -- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) -- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) - -## Configure next-generation protection services - -For information on how to configure next-generation protection services, see [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md). - -> [!Note] -> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md). - -## Related articles - -- [Windows Defender Antivirus management and configuration](configuration-management-reference-windows-defender-antivirus.md) - -- [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md deleted file mode 100644 index b8fbc245ce..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -title: Windows Defender Offline in Windows 10 -description: You can use Windows Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network. -keywords: scan, defender, offline -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.reviewer: -manager: dansimp ---- - -# Run and review the results of a Windows Defender Offline scan - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). - -You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak. - -In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. - -## prerequisites and requirements - -Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. - -For more information about Windows 10 requirements, see the following topics: - -- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) - -- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) - -> [!NOTE] -> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. - -To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges. - -## Windows Defender Offline updates - -Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated. - -> [!NOTE] -> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). - -See the [Manage Windows Defender Antivirus Security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information. - -## Usage scenarios - -In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. - -The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. - -The prompt can occur via a notification, similar to the following: - - - -The user will also be notified within the Windows Defender client: - - - -In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. - -Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. - - - -## Configure notifications - - -Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications. - -For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) topic. - -## Run a scan - -> [!IMPORTANT] -> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. - -You can run a Windows Defender Offline scan with the following: - -- PowerShell -- Windows Management Instrumentation (WMI) -- The Windows Security app - - - -### Use PowerShell cmdlets to run an offline scan - -Use the following cmdlets: - -```PowerShell -Start-MpWDOScan -``` - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - -### Use Windows Management Instruction (WMI) to run an offline scan - -Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan. - -The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. - -```WMI -wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start -``` - -See the following for more information: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - -### Use the Windows Defender Security app to run an offline scan - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label: - - -3. Select **Windows Defender Offline scan** and click **Scan now**. - - - > [!NOTE] - > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client. - - -## Review scan results - -Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). - - -## Related articles - -- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index e702402c80..ebb66d445a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/14/2019 +ms.date: 05/29/2020 --- # Manage Packaged Apps with Windows Defender Application Control @@ -65,8 +65,10 @@ Below are the list of steps you can follow to block one or more packaged apps in 1. Get the app identifier for an installed package ```powershell - $package = Get-AppxPackage -name
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
-Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Windows Defender Application Guard only for Microsoft Edge
- Enable Windows Defender Application Guard only for Microsoft Office
- Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.
**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.| -|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.
**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.| - - diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index d84d263388..cb2c999276 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -34,7 +34,7 @@ You can add information about your organization in a contact card to the Windows  -This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus). +This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).  diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 27bf7e7c31..c215717a36 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -36,7 +36,7 @@ In some cases, it may not be appropriate to show these notifications, for exampl There are two levels to hiding notifications: -1. Hide non-critical notifications, such as regular updates about the number of scans Windows Defender Antivirus ran in the past week +1. Hide non-critical notifications, such as regular updates about the number of scans Microsoft Defender Antivirus ran in the past week 2. Hide all notifications If you set **Hide all notifications** to **Enabled**, changing the **Hide non-critical notifications** setting will have no effect. @@ -111,35 +111,35 @@ This can only be done in Group Policy. | Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes | | HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes | | HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes | -| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Windows Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes | -| Remediation failure | Windows Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes | -| Follow-up action (restart & scan) | Windows Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes | -| Follow-up action (restart) | Windows Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes | -| Follow-up action (Full scan) | Windows Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes | -| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Windows Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes | -| OS support ending warning | Support for your version of Windows is ending. When this support ends, Windows Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes | -| OS support ended, device at risk | Support for your version of Windows has ended. Windows Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes | -| Summary notification, items found | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No | -| Summary notification, items found, no scan count | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No | -| Summary notification, **no** items found, scans performed | Windows Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No | -| Summary notification, **no** items found, no scans | Windows Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No | -| Scan finished, manual, threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No | -| Scan finished, manual, **no** threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No | -| Threat found | Windows Defender Antivirus found threats. Get details. | CRITICAL | No | -| LPS on notification | Windows Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No | +| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes | +| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes | +| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes | +| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes | +| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes | +| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes | +| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes | +| OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes | +| Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No | +| Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No | +| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No | +| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No | +| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No | +| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No | +| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No | +| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No | | Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No | | Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No | | Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No | | Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No | -| Ransomware specific detection | Windows Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No | +| Ransomware specific detection | Microsoft Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No | | ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No | | ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No | | CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No | | Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No | | Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No | | PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No | -| PUA notification | Your IT settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No | -| PUA notification, customized | _Company_ caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No | +| PUA notification | Your IT settings caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No | +| PUA notification, customized | _Company_ caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No | | Network isolation ended | | | No | | Network isolation ended, customized | | | No | | Restricted access ended | | | No | diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 4c160a092a..df2646c94e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -1,6 +1,6 @@ --- title: Virus and threat protection in the Windows Security app -description: Use the Virus & threat protection section to see and configure Windows Defender Antivirus, Controlled folder access, and 3rd-party AV products. +description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products. keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -24,14 +24,14 @@ manager: dansimp - Windows 10, version 1703 and later -The **Virus & threat protection** section contains information and settings for antivirus protection from Windows Defender Antivirus and third-party AV products. +The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack. IT administrators and IT pros can get more information and documentation about configuration from the following: -- [Windows Defender Antivirus in the Windows Security app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md) -- [Windows Defender Antivirus documentation library](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md) +- [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) - [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) - [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/) - [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a) diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 56b6759416..0f263a291a 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -40,9 +40,9 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a You can't uninstall the Windows Security app, but you can do one of the following: -- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016). +- Disable the interface on Windows Server 2016. See [Microsoft Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016). - Hide all of the sections on client computers (see below). -- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +- Disable Microsoft Defender Antivirus, if needed. See [Enable and configure Microsoft Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics: @@ -77,20 +77,20 @@ You can find more information about each section, including options for configur ## How the Windows Security app works with Windows security features > [!IMPORTANT] -> Windows Defender AV and the Windows Security app use similarly named services for specific purposes. +> Microsoft Defender AV and the Windows Security app use similarly named services for specific purposes. > > The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. > ->These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. +>These services do not affect the state of Microsoft Defender AV. Disabling or modifying these services will not disable Microsoft Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. > ->Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +>Microsoft Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > -> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). +> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). > [!WARNING] > If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. > -> It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. +> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. > > This will significantly lower the protection of your device and could lead to malware infection. @@ -103,4 +103,4 @@ Disabling any of the individual features (through Group Policy or other manageme > [!IMPORTANT] > Individually disabling any of the services will not disable the other services or the Windows Security app. -For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. +For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 2ddbd8ddd4..f8bce090ea 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -1,6 +1,6 @@ --- title: Basic Firewall Policy Design (Windows 10) -description: Basic Firewall Policy Design +description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index 1be717ce49..71775ab476 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -1,6 +1,6 @@ --- title: Certificate-based Isolation Policy Design (Windows 10) -description: Certificate-based Isolation Policy Design +description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index 11af4131b4..d953de0a48 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -1,6 +1,6 @@ --- title: Change Rules from Request to Require Mode (Windows 10) -description: Change Rules from Request to Require Mode +description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 6d74ea9356..2fec691406 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -1,6 +1,6 @@ --- title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) -description: Checklist Implementing a Basic Firewall Policy Design +description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 2c12d1140a..38155aa557 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -1,6 +1,6 @@ --- title: Create an Authentication Request Rule (Windows 10) -description: Create an Authentication Request Rule +description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 ms.reviewer: ms.author: dansimp @@ -19,7 +19,7 @@ ms.date: 08/17/2017 # Create an Authentication Request Rule -**Applies to** +**Applies to:** - Windows 10 - Windows Server 2016 @@ -27,9 +27,9 @@ After you have configured IPsec algorithms and authentication methods, you can c **Administrative credentials** -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the (Group Policy Objects) GPOs. -To create the authentication request rule +To create the authentication request rule: 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -39,9 +39,10 @@ To create the authentication request rule 4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**. - >**Caution:** Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. + > [!CAUTION] + > Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. -5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP). +5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are attempted in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP). 1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure. @@ -49,7 +50,9 @@ To create the authentication request rule 3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. - 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + 4. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario. + +6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. The **First authentication method** can be one of the following: @@ -75,18 +78,19 @@ To create the authentication request rule If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. - >**Important:** Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + > [!IMPORTANT] + > Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. -6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. +7. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. -7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. +8. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. - On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network. - - On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. + - On devices that do not move from network to network, consider selecting all the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. Click **Next**. -8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. +9. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. The new rule appears in the list of connection security rules. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index 354ed24f32..d1211abf11 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,6 +1,6 @@ --- title: Create an Outbound Program or Service Rule (Windows 10) -description: Create an Outbound Program or Service Rule +description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 15c54f8ada..e7201d21c3 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -74,8 +74,8 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ - \* indicates any local address. If present, this must be the only token included. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255. - A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. [Learn more](https://aka.ms/intunefirewalllocaladdressrule) @@ -93,8 +93,8 @@ List of comma separated tokens specifying the remote addresses covered by the ru - LocalSubnet indicates any local address on the local subnet. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. - A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index d67461d012..95428bb9b0 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,6 +1,6 @@ --- title: Designing a Windows Defender Firewall Strategy (Windows 10) -description: Designing a Windows Defender Firewall with Advanced Security Strategy +description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index 5911a0bedc..f66bc68daa 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,6 +1,6 @@ --- title: Exemption List (Windows 10) -description: Exemption List +description: Learn the ins and outs of exemption lists on a secured network using Windows 10. ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 ms.reviewer: ms.author: dansimp @@ -23,7 +23,7 @@ ms.date: 04/19/2017 - Windows 10 - Windows Server 2016 -When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. +When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list. diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 0c27975e1b..dc11219314 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,6 +1,6 @@ --- title: Gathering Info about Your Network Infrastructure (Windows 10) -description: Gathering Information about Your Current Network Infrastructure +description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index eda2c2ccc5..bc1c471475 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,6 +1,6 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) -description: GPO\_DOMISO\_IsolatedDomain\_Clients +description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index bfe618f15f..de34b9c3ad 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,6 +1,6 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) -description: GPO\_DOMISO\_IsolatedDomain\_Servers +description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index e8ec3acdbe..74dacfe608 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,6 +1,6 @@ --- title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10) -description: Planning to Deploy Windows Defender Firewall with Advanced Security +description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: ms.author: dansimp @@ -27,30 +27,42 @@ After you collect information about your environment and decide on a design by f ## Reviewing your Windows Defender Firewall with Advanced Security Design -If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points: +If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure the deployment team reviews the final design with the design team. Review the following information before starting your deployment. -- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide: +### Decide which devices apply to which GPO - - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) +The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide: - - [Planning the GPOs](planning-the-gpos.md) +- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) - - [Planning GPO Deployment](planning-gpo-deployment.md) +- [Planning the GPOs](planning-the-gpos.md) -- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list. +- [Planning GPO Deployment](planning-gpo-deployment.md) -- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. +### Configure communication between members and devices -- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated. +Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list. -- The requirement that all devices that must communicate with each other share a common set of: +### Exempt domain controllers from IPsec authentication requirements - - Authentication methods +It is recommended that domain controllers are exempt from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. - - Main mode key exchange algorithms +### Configure IPsec authentication rules - - Quick mode data integrity algorithms +The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior. Communications can continue while the authentication failures are investigated. - If at least one set of each does not match between two devices, then the devices cannot successfully communicate. +### Make sure all devices can communicate with each other + +For all devices to communicate with each other, they must share a common set of: + +- Authentication methods + +- Main mode key exchange algorithms + +- Quick mode data integrity algorithms + +If at least one set of each does not match between two devices, then the devices cannot successfully communicate. + +## Deploy your Windows Firewall Design Plan After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md). diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index b34c8d48ea..117070ef88 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,6 +1,6 @@ --- title: Restrict Access to Only Specified Users or Devices (Windows 10) -description: Restrict Access to Only Specified Users or Devices +description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index 223595ed41..92f54d794a 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,6 +1,6 @@ --- title: Restrict Server Access to Members of a Group Only (Windows 10) -description: Restrict Server Access to Members of a Group Only +description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 86aa913f16..d1d4e94a38 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -23,6 +23,7 @@ Microsoft is committed to optimizing the security of its products and services. The Security Target describes security functionality and assurance measures used to evaluate Windows. +- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) @@ -61,6 +62,7 @@ These documents describe how to configure Windows to replicate the configuration **Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** +- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) @@ -140,6 +142,7 @@ These documents describe how to configure Windows to replicate the configuration An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. +- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf) - [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf) - [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf) - [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index 1c44d0d42f..a0f657a331 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -22,6 +22,7 @@ ms.reviewer: - Windows 10 - Windows Server - Microsoft 365 Apps for enterprise +- Microsoft Edge ## Using security baselines in your organization diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index a043492918..edb6146667 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) ## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) ## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) ## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md index b7879030be..2b22a606de 100644 --- a/windows/whats-new/get-started-with-1709.md +++ b/windows/whats-new/get-started-with-1709.md @@ -1,6 +1,6 @@ --- title: Get started with Windows 10, version 1709 -description: All the information to get you started with Windows 10, version 1709. +description: Learn the dos and don'ts for getting started with Windows 10, version 1709. keywords: ["get started", "windows 10", "fall creators update", "1709"] ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/whats-new/images/system-guard2.png b/windows/whats-new/images/system-guard2.png new file mode 100644 index 0000000000..5505ffa78c Binary files /dev/null and b/windows/whats-new/images/system-guard2.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index b7051cfee0..f8674a3abf 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -18,6 +18,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) - [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) - [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) - [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 727cc608be..37619d2d6f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -117,12 +117,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat Several new features and management options have been added to Windows Defender in this version of Windows 10. -- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. +- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. ### Windows Defender Advanced Threat Protection (ATP) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index d409feafd2..8c41f40e80 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -72,25 +72,25 @@ But these protections can also be configured separately. And, unlike HVCI, code ### Endpoint detection and response -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. - Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). - We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) -- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) -- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) -- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) + We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on: +- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus) +- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) +- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus) +- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) +- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus) - Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus). - New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) -- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + New features for Microsoft Defender AV in Windows 10 Enterprise 2019 LTSC include: +- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) +- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus) - We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). **Endpoint detection and response** is also enhanced. New **detection** capabilities include: - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. @@ -226,9 +226,9 @@ An issue, known as “SMBLoris�?, which could result in denial of service, has Windows Defender Security Center is now called **Windows Security Center**. -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. @@ -387,7 +387,7 @@ Update Compliance is a solution built using OMS Log Analytics that provides info For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). ### Device Health diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index e49c027a4d..6898dce476 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, versions 1507 and 1511 +# What's new in Windows 10, versions 1507 and 1511 for IT Pros Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index f27cc65739..f3e4867a56 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (version 1607) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (version 1607) and Windows 10 Mobile. keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.author: greglin ms.topic: article --- -# What's new in Windows 10, version 1607 +# What's new in Windows 10, version 1607 for IT Pros Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). @@ -103,12 +103,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat ### Windows Defender Several new features and management options have been added to Windows Defender in Windows 10, version 1607. -- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. +- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. ### Windows Defender Advanced Threat Protection (ATP) With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 1a4c0d57c0..2f32d6a64d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1703 -description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated). +description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). keywords: ["What's new in Windows 10", "Windows 10", "creators update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: greglin ms.topic: article --- -# What's new in Windows 10, version 1703 IT pro content +# What's new in Windows 10, version 1703 for IT Pros Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). @@ -107,7 +107,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10 - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed - **Investigation**
- Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. + Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. Other investigation enhancements include: - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. @@ -127,30 +127,30 @@ You can read more about ransomware mitigations and detection capability in Windo Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787). -### Windows Defender Antivirus -Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +### Microsoft Defender Antivirus +Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) -- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) -- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) -- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) +- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus) +- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) +- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus) +- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) +- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus) Some of the highlights of the new library include: -- [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) -- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus) +- [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) +- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus) -New features for Windows Defender AV in Windows 10, version 1703 include: +New features for Microsoft Defender AV in Windows 10, version 1703 include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) -- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) +- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) +- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus) -In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). -You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). +You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). ### Device Guard and Credential Guard diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index ef9b4541f0..468c6ddce9 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1709 -description: New and updated IT Pro content about new features in Windows 10, version 1709 (also known as the Fall Creators Update). +description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1709 IT Pro content +# What's new in Windows 10, version 1709 for IT Pros **Applies to** - Windows 10, version 1709 @@ -95,7 +95,8 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is ### Window Defender Exploit Guard -Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/network-protection). +Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection). + ### Windows Defender Device Guard @@ -129,7 +130,7 @@ Upgrade Readiness provides insights into application and driver compatibility is ### Update Compliance -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). ### Device Health @@ -149,3 +150,7 @@ Several network stack enhancements are available in this release. Some of these [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +[Threat protection on Windows 10](https://docs.microsoft.com/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
+ + + diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 051d5d4b6e..93bcfb411b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1803 -description: New and updated IT Pro content about new features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). +description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1803 IT Pro content +# What's new in Windows 10, version 1803 for IT Pros **Applies to** - Windows 10, version 1803 @@ -171,9 +171,9 @@ In the Feedback and Settings page under Privacy Settings you can now delete the The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. -### Windows Defender Antivirus +### Microsoft Defender Antivirus -Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). +Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). ### Windows Defender Exploit Guard diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index e5ab713e82..ba0090d559 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -107,9 +107,9 @@ See the following example: Windows Defender Security Center is now called **Windows Security Center**. -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index ec640e3eea..aed8001e95 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1903 -description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). +description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1903 IT Pro content +# What's new in Windows 10, version 1903 for IT Pros **Applies to** - Windows 10, version 1903 @@ -83,7 +83,7 @@ The draft release of the [security configuration baseline settings](https://blog ### Microsoft Defender Advanced Threat Protection (ATP): - [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. -- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. +- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers. - [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. @@ -138,7 +138,7 @@ This new feature is displayed under the Device Security page with the string “ - [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. - [Windows Security app](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. -- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. +- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. ## Microsoft Edge diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 5d019f5d03..27fc2277eb 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1909 -description: New and updated IT Pro content about new features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). +description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1909 IT Pro content +# What's new in Windows 10, version 1909 for IT Pros **Applies to** - Windows 10, version 1909 @@ -60,10 +60,6 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190 ## Virtualization -### Containers on Windows - -This update includes 5 fixes to allow the host to run down-level containers on up-level for process (Argon) isolation. Previously [Containers on Windows](https://docs.microsoft.com/virtualization/windowscontainers/) required matched host and container version. This limited Windows containers from supporting mixed-version container pod scenarios. - ### Windows Sandbox [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation. @@ -78,7 +74,7 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic #### Microsoft Endpoint Manager -Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now are [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). +Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). ### Windows 10 Pro and Enterprise in S mode diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md new file mode 100644 index 0000000000..0740a2c4fd --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -0,0 +1,243 @@ +--- +title: What's new in Windows 10, version 2004 +description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). +keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10, version 2004 for IT Pros + +**Applies to** +- Windows 10, version 2004 + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909. To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update). + +> [!NOTE] +> The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003. + +## Security + +### Windows Hello + +- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. +- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. +- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). + +### Windows Defender System Guard + +In this release, [Windows Defender System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO. + +With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. + +  + +### Windows Defender Application Guard + +[Windows Defender Application Guard](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020. + +Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon. + +## Deployment + +### Windows Setup + +Improvements in Windows Setup with this release include: +- Reduced offline time during feature updates +- Improved controls for reserved storage +- Improved controls and diagnostics +- New recovery options + +For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464). + +### SetupDiag + +In Windows 10, version 2004, SetupDiag is now automatically installed. + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. + +During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. + +### Windows Autopilot + +With this release, you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. + +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. + +### Microsoft Endpoint Manager + +An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). + +Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/whats-new). + +### Windows Assessment and Deployment Toolkit (ADK) + +Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). + +For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). + +### Microsoft Deployment Toolkit (MDT) + +MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. This issue is currently under investigation. + +For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). + +## Servicing + +### Delivery Optimization + +Windows PowerShell cmdlets have been improved: + +- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). +- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. +- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. + +Additional improvements: +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Automatic cloud-based congestion detection is available for PCs with cloud service support. + +The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release: + +- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) + - Reason: Replaced with separate policies for foreground and background +- Max Upload Bandwidth (DOMaxUploadBandwidth) + - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. +- Absolute max throttle (DOMaxDownloadBandwidth) + - Reason: separated to foreground and background + +### Windows Update for Business + +[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: +- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. +- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. + +## Virtualization + +### Windows Sandbox + +[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration. + +[Windows Sandbox configuration](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes: +- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop. +- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox. +- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste. +- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox. +- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox. +- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox. + +Windows Media Player is also added back to the Sandbox image in this release. + +Windows Sandbox also has improved accessibility in this release, including: +- Microphone support is available. +- Added functionality to configure the audio input device via the Windows Sandbox config file. +- A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode. +- A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode. + +### Windows Subsystem for Linux (WSL) + +With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed. + +[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization. + +For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes). + +### Windows Virtual Desktop (WVD) + +Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](https://aka.ms/wvdgetstarted) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent). + +## Microsoft Edge + +Read about plans for the new Microsoft Edge and other innovations announced at [Build 2020](https://blogs.windows.com/msedgedev/2020/05/19/microsoft-edge-news-developers-build-2020/) and [What's new at Microsoft Edge Insider](https://www.microsoftedgeinsider.com/whats-new). + +Also see information about the exciting new Edge browser [here](https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/). + +## Application settings + +This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC. + +## Windows Shell + +Several enhancements to the Windows 10 user interface are implemented in this release: + +### Cortana + +[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004: +- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US. + - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users. +- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms. +- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop. + +For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020). + +### Windows Search + +Windows Search is improved in several ways. For more information, see [Supercharging Windows Search](https://aka.ms/AA8kllm). + +### Virtual Desktops + +You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1. + +### Bluetooth pairing + +Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/at-home/Whats-new-wip-at-home-20h1#improving-your-bluetooth-pairing-experience-build-18985). + +### Reset this PC + +The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option. + +### Task Manager + +The following items are added to Task Manager in this release: +- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card. +- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898). + +## Graphics & display + +### DirectX + +[New DirectX 12 features](https://devblogs.microsoft.com/directx/dev-preview-of-new-directx-12-features/) are available in this release. + +### 2-in-1 PCs + +A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption. + +### Specialized displays + +With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose. + +Examples include: +- Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators +- Medical imaging devices with custom panels, such as grayscale X-ray displays +- Video walls like those displayed in Microsoft Store +- Dedicated video monitoring +- Monitor panel testing and validation +- Independent Hardware Vendor (IHV) driver testing and validation + +To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use. + +## Desktop Analytics + +[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license. + +For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new). + +## See Also + +[What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
+[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
+[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
+[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
+[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
+[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
+[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
+[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.