deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 22:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #3459 from MicrosoftDocs/martyav-disableantispyware-update

Browse Source 
disableantispyware update
This commit is contained in:
Tina Burden
2020-08-07 10:50:53 -07:00
committed by GitHub
parent 0f53288a50 a7ed875ec2
commit 9775868d58
2 changed files with 44 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
View File

@ -9,7 +9,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
@ -28,6 +27,7 @@ ms.custom: nextgen
During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
With tamper protection, malicious apps are prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
@ -38,6 +38,7 @@ With tamper protection, malicious apps are prevented from taking actions such as
### How it works
Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows machine
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
@ -174,21 +175,21 @@ If you are an organization using [Microsoft Defender ATP E5](https://www.microso
Your regular group policy doesnt apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
>[!NOTE]
>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings. <br><br>
> Sample Microsoft Defender Antivirus settings:<br>
> Turn off Microsoft Defender Antivirus <br>
> Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
Value DisableAntiSpyware = 0 <br><br>
>Turn off real-time protection<br>
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\
Value DisableRealtimeMonitoring = 0
> [!NOTE]
> A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection.
To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.
Some sample Microsoft Defender Antivirus settings:
- *Turn off real-time protection* <br />
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\<br />
Value `DisableRealtimeMonitoring` = 0
### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups.
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager.

58
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
View File

@ -28,12 +28,10 @@ ms.topic: troubleshooting
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.
## Troubleshoot issues with onboarding tools
If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
### Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not.
@ -42,7 +40,6 @@ If you have completed the onboarding process and don't see devices in the [Devic
If the script completes successfully, see [Troubleshoot onboarding issues on the devices](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager
When onboarding devices using the following versions of Configuration Manager:
@ -57,10 +54,10 @@ If the deployment fails, you can check the output of the script on the devices.
If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
### Troubleshoot onboarding when deploying with a script
**Check the result of the script on the device:**
1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. Go to **Windows Logs** > **Application**.
@ -68,6 +65,7 @@ If the onboarding completed successfully but the devices are not showing up in t
3. Look for an event from **WDATPOnboarding** event source.
If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
> [!NOTE]
> The following event IDs are specific to the onboarding script only.
@ -82,7 +80,6 @@ Event ID | Error Type | Resolution steps
`40` | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
`65` | Insufficient privileges| Run the script again with administrator privileges.
### Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
@ -97,7 +94,7 @@ Use the following tables to understand the possible causes of issues while onboa
If none of the event logs and troubleshooting steps work, download the Local script from the **Device management** section of the portal, and run it in an elevated command prompt.
**Microsoft Intune error codes and OMA-URIs**:
#### Microsoft Intune error codes and OMA-URIs
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---:|:---|:---|:---|:---
@ -107,8 +104,7 @@ Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause a
| | | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently supported platforms:<br> Enterprise, Education, and Professional.<br> Server is not supported.
0x87D101A9 | -2016345687 |SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.<br><br> Currently supported platforms:<br> Enterprise, Education, and Professional.
**Known issues with non-compliance**
#### Known issues with non-compliance
The following table provides information on issues with non-compliance and how you can address the issues.
@ -118,8 +114,7 @@ Case | Symptoms | Possible cause and troubleshooting steps
`2` | Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
`3` | Device is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.
**Mobile Device Management (MDM) event logs**
#### Mobile Device Management (MDM) event logs
View the MDM event logs to troubleshoot issues that might arise during onboarding:
@ -131,17 +126,16 @@ ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:---
1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
## Troubleshoot onboarding issues on the device
If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent:
If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent.
- [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log)
- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the device has an Internet connection](#ensure-the-device-has-an-internet-connection)
- [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
### View agent onboarding errors in the device event log
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@ -176,24 +170,23 @@ Event ID | Message | Resolution steps
`30` | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support.
`32` | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device.
`55` | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device.
`63` | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
`63` | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
`64` | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
`68` | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
`69` | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
`69` | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
<br />
<br>
There are additional components on the device that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
<span id="ensure-the-diagnostics-service-is-enabled" />
### Ensure the diagnostic data service is enabled
If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
### Ensure the service is set to start
**Use the command line to check the Windows 10 diagnostic data service startup type**:
@ -216,7 +209,6 @@ First, you should check that the service is set to start automatically when Wind
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the device:
@ -255,14 +247,18 @@ To ensure that sensor has service connectivity, follow the steps described in th
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic.
### Ensure that Microsoft Defender Antivirus is not disabled by a policy
> [!IMPORTANT]
> The following only applies to devices that have **not** yet received the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.
>
> The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via system policy.
**Problem**: The Microsoft Defender ATP service does not start after onboarding.
**Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.
**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not turned off by a system policy.
- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
@ -273,19 +269,21 @@ If the verification fails and your environment is using a proxy to connect to th
- `<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>`
- `<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiVirus"/></Key>`
> [!IMPORTANT]
> The `disableAntiSpyware` setting is discontinued and will be ignored on all client devices, as of the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.
- After clearing the policy, run the onboarding steps again.
- You can also check the following registry key values to verify that the policy is disabled:
1. Open the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
2. Ensure that the value `DisableAntiSpyware` is not present.
- You can also check the previous registry key values to verify that the policy is disabled, by opening the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
![Image of registry key for Microsoft Defender Antivirus](images/atp-disableantispyware-regkey.png)
> [!NOTE]
> In addition, you must ensure that wdfilter.sys and wdboot.sys are set to their default start values of "0".
> - `<Key Path="SYSTEM\CurrentControlSet\Services\WdBoot"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>`
> - `<Key Path="SYSTEM\CurrentControlSet\Services\WdFilter"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>`
>
> - `<Key Path="SYSTEM\CurrentControlSet\Services\WdBoot"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>`
> - `<Key Path="SYSTEM\CurrentControlSet\Services\WdFilter"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>`
## Troubleshoot onboarding issues on a server
@ -295,6 +293,7 @@ If you encounter issues while onboarding a server, go through the following veri
- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints.md#server-proxy)
You might also need to check the following:
- Check that there is a Microsoft Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example:
![Image of process view with Microsoft Defender Advanced Threat Protection Service running](images/atp-task-manager.png)
@ -311,12 +310,12 @@ You might also need to check the following:
- Check to see that devices are reflected in the **Devices list** in the portal.
## Confirming onboarding of newly built devices
There may be instances when onboarding is deployed on a newly built device but not completed.
The steps below provide guidance for the following scenario:
- Onboarding package is deployed to newly built devices
- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed
- Device is turned off or restarted before the end user performs a first logon
@ -325,7 +324,6 @@ The steps below provide guidance for the following scenario:
> [!NOTE]
> The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
1. Create an application in Microsoft Endpoint Configuration Manager.
![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-1.png)
@ -444,8 +442,8 @@ The steps below provide guidance for the following scenario:
![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-30.png)
## Related topics
- [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md)
- [Onboard devices](onboard-configure.md)
- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)