diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index df9fb54db4..9c201ba4ac 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -2,7 +2,7 @@ title: Block untrusted fonts in an enterprise (Windows 10) description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4 -ms.reviewer: +ms.reviewer: manager: dansimp keywords: font blocking, untrusted font blocking, block fonts, untrusted fonts ms.prod: w10 @@ -19,9 +19,9 @@ ms.localizationpriority: medium **Applies to:** -- Windows 10 +- Windows 10 ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). +> Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). To help protect your company from attacks which may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. @@ -36,22 +36,22 @@ There are 3 ways to use this feature: - **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log. > [!NOTE] - > If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. + > If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. - **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). ## Potential reductions in functionality After you turn this feature on, your employees might experience reduced functionality when: -- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. +- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. -- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302). +- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302). -- Using first or third-party apps that use memory-based fonts. +- Using first or third-party apps that use memory-based fonts. -- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently. +- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently. -- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. +- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. ## Turn on and use the Blocking Untrusted Fonts feature Use Group Policy or the registry to turn this feature on, off, or to use audit mode. @@ -61,7 +61,7 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m 2. Click **Enabled** to turn the feature on, and then click one of the following **Mitigation Options**: - - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. @@ -76,9 +76,9 @@ To turn this feature on, off, or to use audit mode: 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**. -3. Right click on the **MitigationOptions** key, and then click **Modify**. +3. Right click on the **MitigationOptions** key, and then click **Modify**. - The **Edit QWORD (64-bit) Value** box opens. + The **Edit QWORD (64-bit) Value** box opens. 4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below: @@ -88,8 +88,8 @@ To turn this feature on, off, or to use audit mode: - **To audit with this feature.** Type **3000000000000**. - >[!Important] - >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. + > [!Important] + > Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 5. Restart your computer. @@ -107,27 +107,27 @@ After you turn this feature on, or start using Audit mode, you can look at your FontType: Memory
FontPath:
Blocked: true - - >[!NOTE] - >Because the **FontType** is *Memory*, there’s no associated **FontPath**. + + > [!NOTE] + > Because the **FontType** is *Memory*, there’s no associated **FontPath**. **Event Example 2 - Winlogon**
Winlogon.exe attempted loading a font that is restricted by font-loading policy.
FontType: File
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
Blocked: true - - >[!NOTE] - >Because the **FontType** is *File*, there’s also an associated **FontPath**. + + > [!NOTE] + > Because the **FontType** is *File*, there’s also an associated **FontPath**. **Event Example 3 - Internet Explorer running in Audit mode**
Iexplore.exe attempted loading a font that is restricted by font-loading policy.
FontType: Memory
FontPath:
Blocked: false - - >[!NOTE] - >In Audit mode, the problem is recorded, but the font isn’t blocked. + + > [!NOTE] + > In Audit mode, the problem is recorded, but the font isn’t blocked. ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. @@ -136,7 +136,7 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by installing the problematic fonts (recommended)** -- On each computer with the app installed, right-click on the font name and click **Install**.

The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there. +- On each computer with the app installed, right-click on the font name and click **Install**.

The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there. **To fix your apps by excluding processes** @@ -144,13 +144,7 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa 2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article. - + ## Related content -- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/) - - - - - - +- [Dropping the “Untrusted Font Blocking” setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png new file mode 100644 index 0000000000..46a71a3ab6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png new file mode 100644 index 0000000000..efd5173cfb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png new file mode 100644 index 0000000000..a09b5f9a3a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md index feab52dd1a..6948f7a392 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -43,7 +43,7 @@ It's important to understand the following requirements prior to creating indica - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019. - The virus and threat protection definitions must be up-to-date. -- This feature currently supports entering .CER or .PEM file extensions. +- This feature currently supports entering .CER or .PEM (Base64 ASCII) encoding based certificates. >[!IMPORTANT] > - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities'). diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index ad2a51ab8f..68c6dfd43f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -27,6 +27,42 @@ ms.topic: conceptual > [!NOTE] > Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +> [!IMPORTANT] +> **PUBLIC PREVIEW EDITION** +> +> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. +> +> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. + + +## Configure compliance policy against jailbroken devices + +To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you setup the following compliance policy on Intune. + +> [!NOTE] +> Currently Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. Some data like your corporate email id and corporate profile picture (if available) will be exposed to the attacker on the jailbroken device. + +Follow the steps below to create a compliance policy against jailbroken devices. + +1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-policy.png) + +1. Specify a name of the policy, example "Compliance Policy for Jailbreak". +1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-settings.png) + +1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**. + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-actions.png) + +1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**. +1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. + ## Configure custom indicators Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators. @@ -37,4 +73,3 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i ## Web Protection By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. - diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 87c1b96104..cb1c7d7be7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -1,6 +1,6 @@ --- title: Intune-based deployment for Microsoft Defender ATP for Mac -description: Install Microsoft Defender ATP for Mac, using Microsoft Intune. +description: Install Microsoft Defender for Endpoint for Mac, using Microsoft Intune. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -42,7 +42,7 @@ This topic describes how to deploy Microsoft Defender for Endpoint for Mac throu ## Prerequisites and system requirements -Before you get started, see [the main MIcrosoft Defender for EndpointP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender for Endpoint for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Overview diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index f36e72d95c..53f1a5d9d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -18,7 +18,7 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article -ms.date: 09/24/2020 +ms.date: 11/30/2020 ms.custom: migrationguides ms.reviewer: depicker, yongrhee, chriggs --- @@ -68,6 +68,12 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+> [!NOTE] +> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. +> Example:
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+ 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
`Get-Service -Name windefend` diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 56d43dafc5..0c20744eee 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -67,12 +67,12 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M ## Viewing Microsoft Defender SmartScreen anti-phishing events > [!NOTE] -> No Smartscreen events will be logged when using Microsoft Edge version 77 or later. +> No SmartScreen events will be logged when using Microsoft Edge version 77 or later. -When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). +When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://docs.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)). ## Viewing Windows event logs for Microsoft Defender SmartScreen -Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug login Event Viewer. +Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer. Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 54140d60f7..d9e0d8d50b 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -30,7 +30,7 @@ The **Passwords must meet complexity requirements** policy setting determines wh 1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive. The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped. - The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "grin" or "hagens" as a substring anywhere in the password. + The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password. 2. The password contains characters from three of the following categories: