diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 1a7df44a44..10317bd4e4 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 06/01/2018 +ms.date: 07/12/2018 ms.localizationpriority: medium --- @@ -15,6 +15,12 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## July 2018 + +New or changed topic | Description +--- | --- +[Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Added information and links for new Microsoft Whiteboard app release. + ## June 2018 New or changed topic | Description diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 08346d20b4..10f086f358 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -6,13 +6,16 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/20/2017 +ms.date: 07/12/2018 ms.localizationpriority: medium --- # Set up and use Whiteboard to Whiteboard collaboration (Surface Hub) -Microsoft Whiteboard’s latest update (17.8302.5275X or greater) includes the capability for two Surface Hubs to collaborate in real time on the same board. +The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board. + +>[!IMPORTANT] +>A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen cannot collaborate with the new version that can be installed on the PC. If people in your organization install the new Whiteboard on their PCs, you must install the new Whiteboard on Surface Hub to enable collaboration. To learn more about installing the new Whiteboard on your Surface Hub, see [Whiteboard on Surface Hub opt-in](https://go.microsoft.com/fwlink/p/?LinkId=2004277). By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together. diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 7b603f1d3f..195791d851 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -335,6 +335,11 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll + +

Microsoft SQL Server 2017

+

Standard, Enterprise, or Datacenter

+

+

64-bit

Microsoft SQL Server 2016

Standard, Enterprise, or Datacenter

diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index d7484344ae..f9d2591ffe 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 5/31/2018 +ms.date: 6/28/2018 --- # Microsoft Store for Business and Education release history @@ -17,6 +17,9 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## May 2018 +- **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. + ## April 2018 - **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. - **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index e2988a84c9..ecb95fbfa9 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 5/31/2018 +ms.date: 6/28/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,19 +17,15 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**May 2018** +**June 2018** | | | |--------------------------------------|---------------------------------| -| ![performance icon](images/edu-icon.png) |**Immersive Reader app in Microsoft Store for Education**

Microsoft Immersive Reader is now available for education organizations using Microsoft Store for Education. This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. Check out and download [Immersive Reader](https://educationstore.microsoft.com/en-us/store/details/immersive-reader/9PJZQZ821DQ2).

**Applies to**:
Microsoft Store for Education | - - - + + +
@@ -2531,6 +2532,34 @@ Footnotes: + +[WiredNetwork CSP](wirednetwork-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5check mark5check mark5
+ + + + [w7 APPLICATION CSP](w7-application-csp.md) @@ -2568,6 +2597,7 @@ Footnotes: - 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 +- 5 - Added in Windows 10, next major version ## CSP DDF files download @@ -2614,6 +2644,7 @@ The following list shows the configuration service providers supported in Window - 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 +- 5 - Added in Windows 10, next major version ## CSPs supported in Microsoft Surface Hub diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 4537f2c630..27dd7bead4 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -7,11 +7,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/25/2017 +ms.date: 07/11/2018 --- # DevDetail CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands. > [!NOTE] @@ -140,7 +143,12 @@ The following diagram shows the DevDetail configuration service provider managem **Ext/Microsoft/TotalRAM**

Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory). -

Supported operation is Get. +Supported operation is Get. + +**Ext/Microsoft/SMBIOSSerialNumber** +Added in Windows 10, next major version. SMBIOS Serial Number of the device. + +Value type is string. Supported operation is Get. **Ext/WLANMACAddress**

The MAC address of the active WLAN connection, as a 12-digit hexadecimal number. diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 7a3c0a14cc..737bb65143 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -7,16 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/05/2017 +ms.date: 07/11/2018 --- # DevDetail DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -42,7 +45,7 @@ The XML below is the current version for this CSP. - urn:oma:mo:oma-dm-devdetail:1.1 + urn:oma:mo:oma-dm-devdetail:1.2 @@ -525,6 +528,27 @@ The XML below is the current version for this CSP. + + SMBIOSSerialNumber + + + + + SMBIOS Serial Number of the device. + + + + + + + + + + + text/plain + + + WLANMACAddress @@ -676,19 +700,4 @@ The XML below is the current version for this CSP. -``` - -## Related topics - - -[DevDetail configuration service provider](devdetail-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png index 3145a82ea4..f5cf62ff0f 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-wifi.png b/windows/client-management/mdm/images/provisioning-csp-wifi.png index 463a784f95..f5891084ea 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-wifi.png and b/windows/client-management/mdm/images/provisioning-csp-wifi.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png b/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png new file mode 100644 index 0000000000..2fd93631ff Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 83d93b958d..ad1d5979b7 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1623,6 +1623,33 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### July 2018 + + ++++ + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies in Windows 10, next major version:

+
    +
  • ApplicationManagement/LaunchAppAfterLogOn
    • +
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
    • +
  • TaskManager/AllowEndTask
    • +
  • WindowsLogon/DontDisplayNetworkSelectionUI
    • +
+
+ ### June 2018 @@ -1638,6 +1665,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware + + + + + +
[Wifi CSP](wifi-csp.md)

Added a new node WifiCost.

+
[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)

Recent changes:

    @@ -1659,6 +1690,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Start/ImportEdgeAssets - added a table of SKU support information.
[WiredNetwork CSP](wirednetwork-csp.md)New CSP added in Windows 10, next major version. +
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c37bf5cc29..54c9ef180b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -389,6 +389,29 @@ The following diagram shows the Policy configuration service provider in tree fo +### BITS policies + +

+
+ BITS/BandwidthThrottlingEndTime +
+
+ BITS/BandwidthThrottlingStartTime +
+
+ BITS/BandwidthThrottlingTransferRate +
+
+ BITS/CostedNetworkBehaviorBackgroundPriority +
+
+ BITS/CostedNetworkBehaviorForegroundPriority +
+
+ BITS/JobInactivityTimeout +
+
+ ### Bluetooth policies
@@ -3044,6 +3067,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### TaskManager policies + +
+
+ TaskManager/AllowEndTask +
+
+ ### TaskScheduler policies
@@ -3983,6 +4014,12 @@ The following diagram shows the Policy configuration service provider in tree fo - [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) - [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) - [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime) +- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime) +- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate) +- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority) +- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority) +- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout) - [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) - [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) - [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 39546190c2..39cb905194 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/03/2018 +ms.date: 07/11/2018 --- # Policy CSP - ApplicationManagement @@ -590,6 +590,17 @@ The following list shows the supported values: List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after logon. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. +For this policy to work, the Windows apps need to declare in their manifest that they will use the start up task. Example of the declaration here: + +``` syntax + + + +``` + +> [!Note] +> This policy only works on modern apps. + diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md new file mode 100644 index 0000000000..c9fdf5ff82 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -0,0 +1,504 @@ +--- +title: Policy CSP - BITS +description: Policy CSP - BITS +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/29/2018 +--- + +# Policy CSP - BITS + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate. + +- BITS/BandwidthThrottlingEndTime +- BITS/BandwidthThrottlingStartTime +- BITS/BandwidthThrottlingTransferRate + +If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT defined, but BITS/BandwidthThrottlingTransferRate IS defined, then default values will be used for StartTime and EndTime (8am and 5pm respectively). The time policies are based on the 24-hour clock. + +
+ + +## BITS policies + +
+
+ BITS/BandwidthThrottlingEndTime +
+
+ BITS/BandwidthThrottlingStartTime +
+
+ BITS/BandwidthThrottlingTransferRate +
+
+ BITS/CostedNetworkBehaviorBackgroundPriority +
+
+ BITS/CostedNetworkBehaviorForegroundPriority +
+
+ BITS/JobInactivityTimeout +
+
+ + +
+ + +**BITS/BandwidthThrottlingEndTime** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark5check mark5cross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. + +Value type is integer. Default value is 17 (5 pm). + +Supported value range: 0 - 23 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_BandwidthLimitSchedTo* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
+ + +**BITS/BandwidthThrottlingStartTime** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark5check mark5cross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. + +Value type is integer. Default value is 8 (8 am). + +Supported value range: 0 - 23 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_BandwidthLimitSchedFrom* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
+ + +**BITS/BandwidthThrottlingTransferRate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark5check mark5cross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. + +Value type is integer. Default value is 1000. + +Supported value range: 0 - 4294967200 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_MaxTransferRateText* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
+ + +**BITS/CostedNetworkBehaviorBackgroundPriority** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark5check mark5cross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers. + +If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. + +For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: +- 1 - Always transfer +- 2 - Transfer unless roaming +- 3 - Transfer unless surcharge applies (when not roaming or overcap) +- 4 - Transfer unless nearing limit (when not roaming or nearing cap) +- 5 - Transfer only if unconstrained + + + +ADMX Info: +- GP English name: *Set default download behavior for BITS jobs on costed networks* +- GP name: *BITS_SetTransferPolicyOnCostedNetwork* +- GP element: *BITS_TransferPolicyNormalPriorityValue* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
+ + +**BITS/CostedNetworkBehaviorForegroundPriority** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark5check mark5cross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of foreground transfers. + +If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. + +For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: +- 1 - Always transfer +- 2 - Transfer unless roaming +- 3 - Transfer unless surcharge applies (when not roaming or overcap) +- 4 - Transfer unless nearing limit (when not roaming or nearing cap) +- 5 - Transfer only if unconstrained + + + +ADMX Info: +- GP English name: *Set default download behavior for BITS jobs on costed networks* +- GP name: *BITS_SetTransferPolicyOnCostedNetwork* +- GP element: *BITS_TransferPolicyForegroundPriorityValue* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
+ + +**BITS/JobInactivityTimeout** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark5check mark5cross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk. + +> [!Note] +> Any property changes to the job or any successful download action will reset this timeout. + +Value type is integer. Default is 90 days. + +Supported values range: 0 - 999 + +Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. +Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. + +If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. + + + +ADMX Info: +- GP English name: *Timeout for inactive BITS jobs* +- GP name: *BITS_Job_Timeout* +- GP element: *BITS_Job_Timeout_Time* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +Value type is integer. Default is 90 days. + +Supported values range: 0 - 999 + + + + + + + + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md new file mode 100644 index 0000000000..7001fe088f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -0,0 +1,99 @@ +--- +title: Policy CSP - TaskManager +description: Policy CSP - TaskManager +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 07/05/2018 +--- + +# Policy CSP - TaskManager + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## TaskManager policies + +
+
+ TaskManager/AllowEndTask +
+
+ + +
+ + +**TaskManager/AllowEndTask** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5cross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This setting determines whether non-administrators can use Task Manager to end tasks. + +Value type is integer. Supported values: + - 0 - Disabled. EndTask functionality is blocked in TaskManager. + - 1 - Enabled (default). Users can perform EndTask in TaskManager. + + + + + + + + + +**Validation procedure:** +When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager +When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index fe63238f62..07a7954820 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/12/2018 --- # Policy CSP - WindowsLogon @@ -143,6 +143,31 @@ If you enable this policy setting, the PC's network connectivity state cannot be If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. +Here is an example to enable this policy: + +``` syntax + + + + 300 + + 301 + + + ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI + + + chr + + ]]> + + + + + + +``` + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index d4fff403d1..5404820349 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -232,6 +232,24 @@ Specifies the name of the H-SLP root certificate as a string, in the format *nam **RootCertificate3/Data** The base 64 encoded blob of the H-SLP root certificate. +**RootCertificate4/Name** +Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate4/Data** +The base 64 encoded blob of the H-SLP root certificate. + +**RootCertificate5/Name** +Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate5/Data** +The base 64 encoded blob of the H-SLP root certificate. + +**RootCertificate6/Name** +Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate6/Data** +The base 64 encoded blob of the H-SLP root certificate. + **V2UPL1** Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 6e43514e39..f1d6952717 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/16/2018 +ms.date: 06/28/2018 --- # WiFi CSP @@ -59,8 +59,6 @@ If it exists in the blob, the **keyType** and **protected** elements must come b > **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=618963). -  - The supported operations are Add, Get, Delete, and Replace. **Proxy** @@ -96,6 +94,17 @@ Added in Windows 10, version 1607. Optional. When set to true it enables Web Pr Value type is bool. +**WiFiCost** +Added in Windows 10, next major version. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted. + +Supported values: + +- 1 - Unrestricted - unlimited connection +- 2 - Fixed - capacity constraints up to a certain data limit +- 3 - Variable - paid on per byte basic + +Supported operations are Add, Get, Replace and Delete. Value type is integer. + ## Examples diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index b5bcd3d75e..e8bbb6795d 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2017 +ms.date: 06/28/2018 --- # WiFi DDF file @@ -15,7 +15,190 @@ ms.date: 06/26/2017 This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. -Content under development and will be published soon. +The XML below is for Windows 10, next major version. + +``` syntax + + +]> + + 1.2 + + WiFi + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/WiFi + + + + Profile + + + + + + + + + + + + + + + + + + + + + + + + + + + The Profile name of the Wi-Fi network. This is added when WlanXML node is added and deleted when Wlanxml is deleted. + + + + + + + + + + SSID + + + + + + WlanXml + + + + + + + + + XML describing the network configuration and follows Windows WLAN_profile schema. + Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx + + + + + + + + + + + + text/plain + + + + + Proxy + + + + + + + + Optional node. The format is url:port. Configuration of the network proxy (if any). + + + + + + + + + + + + + + text/plain + + + + + ProxyPacUrl + + + + + + + + Optional node. URL to the PAC file location. + + + + + + + + + + + + + + text/plain + + + + + ProxyWPAD + + + + + + + + Optional node: The presence of the field enables WPAD for proxy lookup. + + + + + + + + + + + text/plain + + + + + + + +``` ## Related topics diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md new file mode 100644 index 0000000000..6a06c59879 --- /dev/null +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -0,0 +1,34 @@ +--- +title: WiredNetwork CSP +description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/27/2018 +--- + +# WiredNetwork CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, next major version. + +The following diagram shows the WiredNetwork configuration service provider in tree format. + +![WiredNetwork CSP diagram](images/provisioning-csp-wirednetwork.png) + +**./Device/Vendor/MSFT/WiredNetwork** +Root node. + +**LanXML** +Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx. + +Supported operations are Add, Get, Replace, and Delete. Value type is string. + +**EnableBlockPeriod** + Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + +Supported operations are Add, Get, Replace, and Delete. Value type is integer. \ No newline at end of file diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md new file mode 100644 index 0000000000..0a156256a0 --- /dev/null +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -0,0 +1,167 @@ +--- +title: WiredNetwork DDF file +description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/28/2018 +--- + +# WiredNetwork DDF file + + +This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. This CSP was added in Windows 10, version 1511. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + WiredNetwork + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + + LanXML + + + + + + + + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + + + + + + + + + + + text/plain + + + + + EnableBlockPeriod + + + + + + + + Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + + + + + text/plain + + + + + + WiredNetwork + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + + LanXML + + + + + + + + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + + + + + + + + + + + text/plain + + + + + EnableBlockPeriod + + + + + + + + Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index fe57158272..0c6c72bea1 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -220,6 +220,10 @@ ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) +### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) +#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) +#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) +#### [Conclusion](update/feature-update-conclusion.md) ### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) ### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) #### [Configure Windows Update for Business](update/waas-configure-wufb.md) diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md new file mode 100644 index 0000000000..7ad33b4c1c --- /dev/null +++ b/windows/deployment/update/feature-update-conclusion.md @@ -0,0 +1,20 @@ +--- +title: Best practices for feature updates - conclusion +description: Final thoughts about how to deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 07/09/2018 +--- + +# Conclusion + +**Applies to**: Windows 10 + +Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. + +Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. + diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md new file mode 100644 index 0000000000..d49f678bcf --- /dev/null +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -0,0 +1,257 @@ +--- +title: Best practices - deploy feature updates during maintenance windows +description: Learn how to deploy feature updates during a maintenance window +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/09/2018 +--- + +# Deploy feature updates during maintenance windows + +**Applies to**: Windows 10 + +Use the following information to deploy feature updates during a maintenance window. + +## Get ready to deploy feature updates + +### Step 1: Configure maintenance windows + +1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). +3. On the **Home** tab, in the **Properties** group, choose **Properties**. +4. In the **Maintenance Windows** tab of the Properties dialog box, choose the New icon. +5. Complete the Schedule dialog. +6. Select from the Apply this schedule to drop-down list. +7. Choose **OK** and then close the **\ Properties** dialog box. + +### Step 2: Review computer restart device settings + +If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. + +For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. + +>[!NOTE] +> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. +>- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** +>- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** + +### Step 3: Enable Peer Cache + +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + >[!NOTE] + >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + + >[!NOTE] + >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md new file mode 100644 index 0000000000..5c1cc4673a --- /dev/null +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -0,0 +1,39 @@ +--- +title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices +description: Learn how to deploy feature updates to your mission critical devices +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/10/2018 +--- + +# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices + +**Applies to**: Windows 10 + +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. + +For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). + +Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: + +- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. +- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. + +You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: + +- **LTSC feature updates.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. +- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. + +If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. + +Use the following information: + + +- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) +- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) +- [Conclusion](feature-update-conclusion.md) \ No newline at end of file diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md new file mode 100644 index 0000000000..bcf74135cf --- /dev/null +++ b/windows/deployment/update/feature-update-user-install.md @@ -0,0 +1,235 @@ +--- +title: Best practices - deploy feature updates for user-initiated installations +description: Learn how to manually deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/10/2018 +--- + +# Deploy feature updates for user-initiated installations (during a fixed service window) + +**Applies to**: Windows 10 + +Use the following steps to deploy a feature update for a user-initiated installation. + +## Get ready to deploy feature updates + +### Step 1: Enable Peer Cache +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates in a user-initiated installation + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the **search** text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + - **Software available time**: Select **Specific time** to specify when the software updates will be available to clients: + - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded. + + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window. + + Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated. + +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify **Display in Software Center and show all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. + >[!NOTE] + >Remember that the installation deadline date and time will be well into the future to allow plenty of time for the user-initiated install during a fixed servicing window. + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the **Software Updates** node in the **Software Library** workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. \ No newline at end of file diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index bca4cfe0a9..10b578947d 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -4,10 +4,10 @@ description: Deployment rings in Windows 10 are similar to the deployment groups ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: jaimeo ms.localizationpriority: medium -ms.author: daniha -ms.date: 07/27/2017 +ms.author: jaimeo +ms.date: 07/11/2018 --- # Build deployment rings for Windows 10 updates @@ -38,9 +38,7 @@ Table 1 provides an example of the deployment rings you might use. | Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization | >[!NOTE] ->In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC servicing channel does not receive feature updates. -> ->Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insider devices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates. +>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates. As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. @@ -66,6 +64,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 37f12a310f..3bf18afce3 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 07/02/2018 +ms.date: 07/11/2018 ms.localizationpriority: high --- @@ -229,3 +229,6 @@ System Center Configuration Manager (SCCM) considers a device ready to upgrade i Currently, you can choose the criteria you wish to use: - To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). - To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. + +### How does Upgrade Readiness collect the inventory of devices and applications? +For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. \ No newline at end of file diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 494351fd7c..70e120e841 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 05/30/2018 -ms.localizationpriority: medium +ms.date: 07/10/2018 +ms.localizationpriority: high --- # SetupDiag @@ -45,6 +45,7 @@ See the [Release notes](#release-notes) section at the bottom of this topic for | /LogsPath:\ |
  • This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.
| | /ZipLogs:\ |
  • This optional parameter tells SetupDiag.exe to create a zip file continuing its results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
  • Default: If not specified, a value of 'true' is used.
| | /Verbose |
  • This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.
| +| /Format:\ |
  • This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
| ### Examples: @@ -346,10 +347,23 @@ Each rule name and its associated unique rule identifier are listed with a descr - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code. 41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636 - Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. - +42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC + - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. +43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9 + - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code. +44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 + - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code. ## Release notes +07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center. + - Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues. + - New feature: Ability to output logs in JSON and XML format. + - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic. + - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text. + - New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive. + - 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed. + 05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center. - Fixed a bug in device install failure detection in online mode. - Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost. @@ -364,6 +378,84 @@ Each rule name and its associated unique rule identifier are listed with a descr 03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center. +## Sample logs + +### Text log sample + +``` +Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 +System Information: + Machine Name = Offline + Manufacturer = MSI + Model = MS-7998 + HostOSArchitecture = x64 + FirmwareType = PCAT + BiosReleaseDate = 20160727000000.000000+000 + BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70 + BiosVersion = 1.70 + HostOSVersion = 10.0.15063 + HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834 + TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534) + HostOSLanguageId = 2057 + HostOSEdition = Core + RegisteredAV = Windows Defender, + FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo, + UpgradeStartTime = 3/21/2018 9:47:16 PM + UpgradeEndTime = 3/21/2018 10:02:40 PM + UpgradeElapsedTime = 00:15:24 + ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde + +Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F +Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again. +Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015 +Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information. +``` + +### XML log sample + +``` + + + 1.3.0.0 + DiskSpaceBlockInDownLevel + 6080AFAC-892E-4903-94EA-7A17E69E549E + + Offline + Microsoft Corporation + Virtual Machine + x64 + UEFI + 20171012000000.000000+000 + Hyper-V UEFI Release v2.5 + Hyper-V UEFI Release v2.5 + 10.0.14393 + 14393.1794.amd64fre.rs1_release.171008-1615 + 10.0.16299.15 (rs3_release.170928-1534) + 1033 + Core + + + 2017-12-21T12:56:22 + + 2017-12-21T13:22:46 + 0001-01-01T00:00:00 + 0001-01-01T00:00:00 + + Offline + 06600fcd-acc0-40e4-b7f8-bb984dc8d05a + 06600fcd-acc0-40e4-b7f8-bb984dc8d05a + + Warning: Found Disk Space Hard Block. + You must free up at least "6603" MB of space on the System Drive, and try again. + +``` + +### JSON log sample + +``` +{"Version":"1.3.0.0","ProfileName":"DiskSpaceBlockInDownLevel","ProfileGuid":"6080AFAC-892E-4903-94EA-7A17E69E549E","SystemInfo":{"BiosReleaseDate":"20171012000000.000000+000","BiosVendor":"Hyper-V UEFI Release v2.5","BiosVersion":"Hyper-V UEFI Release v2.5","CV":null,"CommercialId":"Offline","FilterDrivers":"","FirmwareType":"UEFI","HostOSArchitecture":"x64","HostOSBuildString":"14393.1794.amd64fre.rs1_release.171008-1615","HostOSEdition":"Core","HostOSLanguageId":"1033","HostOSVersion":"10.0.14393","MachineName":"Offline","Manufacturer":"Microsoft Corporation","Model":"Virtual Machine","RegisteredAV":"","ReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","RollbackElapsedTime":"PT0S","RollbackEndTime":"\/Date(-62135568000000-0800)\/","RollbackStartTime":"\/Date(-62135568000000-0800)\/","SDMode":1,"SetupReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","TargetOSArchitecture":null,"TargetOSBuildString":"10.0.16299.15 (rs3_release.170928-1534)","UpgradeElapsedTime":"PT26M24S","UpgradeEndTime":"\/Date(1513891366000-0800)\/","UpgradeStartTime":"\/Date(1513889782000-0800)\/"},"FailureData":["Warning: Found Disk Space Hard Block."],"DeviceDriverInfo":null,"Remediation":["You must free up at least \"6603\" MB of space on the System Drive, and try again."]} +``` + ## Related topics [Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) \ No newline at end of file diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index 4b824f3b1d..9c969844b3 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -109,7 +109,7 @@ This setting determines whether a device shows notifications about Windows diagn >| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | >| **Value** | DisableTelemetryOptInChangeNotification | >| **Type** | REG_DWORD | ->| **Setting** | "00000001" | +>| **Setting** | "00000000" | #### MDM diff --git a/windows/security/TOC.md b/windows/security/TOC.md index 1a508b07b8..ad302db477 100644 --- a/windows/security/TOC.md +++ b/windows/security/TOC.md @@ -1,5 +1,7 @@ # [Security](index.yml) ## [Identity and access management](identity-protection/index.md) -## [Threat protection](threat-protection/index.md) ## [Information protection](information-protection/index.md) -## [Hardware-based protection](hardware-protection/index.md) \ No newline at end of file +## [Hardware-based protection](hardware-protection/index.md) +## [Threat protection](threat-protection/index.md) + + diff --git a/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index 95c6095ae0..3b52d2e805 100644 --- a/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -28,7 +28,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi - [Turn on or turn off the TPM](#turn-on-or-turn-off) -For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps). ## About TPM initialization and ownership @@ -165,7 +165,7 @@ This capability was fully removed from TPM.msc in later versions of Windows. ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps). ## Related topics diff --git a/windows/security/index.yml b/windows/security/index.yml index b928c6db2b..05c303413e 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -14,7 +14,7 @@ metadata: keywords: protect, company, data, Windows, device, app, management, Microsoft365, e5, e3 - ms.localizationpriority: medium + ms.localizationpriority: high author: brianlic-msft @@ -22,7 +22,7 @@ metadata: manager: brianlic - ms.date: 02/06/2018 + ms.date: 07/12/2018 ms.topic: article @@ -78,199 +78,17 @@ sections: title: Information protection -- title: Security features built in to Windows 10 - +- title: Windows Defender Advanced Threat Protection items: - - - type: paragraph - - text: 'Windows 10 enables critical security features to protect your device right from the start.' - - - type: list - - style: cards - - className: cardsM - - columns: 3 - - items: - - - href: \windows\security\hardware-protection\how-hardware-based-containers-help-protect-windows - - html:

Protect the boot process and maintain system integrity

- - image: - - src: https://docs.microsoft.com/media/common/i_identity-protection.svg - - title: Windows Defender System Guard - - - href: \windows\security\threat-protection\windows-defender-antivirus\windows-defender-antivirus-in-windows-10 - - html:

Protect against malware management using next-generation antivirus technologies

- - image: - - src: https://docs.microsoft.com/media/common/i_threat-protection.svg - - title: Windows Defender Antivirus - - - href: \windows\security\information-protection\bitlocker\bitlocker-overview - - html:

Prevent data theft from lost or stolen devices

- - image: - - src: https://docs.microsoft.com/media/common/i_information-protection.svg - - title: BitLocker - -- title: Security features in Microsoft 365 E3 - - items: - - - type: paragraph - - text: 'Windows 10 Enterprise provides the foundation for Microsoft 365 E3 and a secure modern workplace.' - - - type: list - - style: cards - - className: cardsM - - columns: 3 - - items: - - - href: \windows\security\identity-protection\hello-for-business\hello-overview - - html:

Give users a more personal and secure way to access their devices

- - image: - - src: https://docs.microsoft.com/media/common/i_identity-protection.svg - - title: Windows Hello for Business - - - href: \windows\security\threat-protection\windows-defender-application-control\windows-defender-application-control - - html:

Lock down applications that run on a device

- - image: - - src: https://docs.microsoft.com/media/common/i_threat-protection.svg - - title: Windows Defender Application Control - - - href: \windows\security\information-protection\windows-information-protection\protect-enterprise-data-using-wip - - html:

Prevent accidental data leaks from enterprise devices

- - image: - - src: https://docs.microsoft.com/media/common/i_information-protection.svg - - title: Windows Information Protection - -- title: Security features in Microsoft 365 E5 - - items: - - - type: paragraph - - text: 'Get all of the protection from Microsoft 365 E3 security, plus these cloud-based security features to help you defend against even the most advanced threats.' - - - type: list - - style: cards - - className: cardsM - - columns: 3 - - items: - - - href: https://docs.microsoft.com/azure/active-directory/active-directory-identityprotection - - html:

Identity Protection and Privileged Identity Management

- - image: - - src: https://docs.microsoft.com/media/common/i_identity-protection.svg - - title: Azure Active Directory P2 - - - href: \windows\security\threat-protection\Windows-defender-atp\windows-defender-advanced-threat-protection - - html:

Detect, investigate, and respond to advanced cyberattacks

- - image: - - src: https://docs.microsoft.com/media/common/i_threat-protection.svg - - title: Windows Defender Advanced Threat Protection - - - href: https://www.microsoft.com/cloud-platform/azure-information-protection - - html:

Protect documents and email automatically

- - image: - - src: https://docs.microsoft.com/media/common/i_information-protection.svg - - title: Azure Information Protection P2 - -- title: Videos - - items: - - type: markdown - - text: ">[![VIDEO](images/next-generation-windows-security-vision.png)](https://www.youtube.com/watch?v=IvZySDNfNpo)" - - - type: markdown - - text: ">[![VIDEO](images/fall-creators-update-next-gen-security.png)](https://www.youtube.com/watch?v=JDGMNFwyUg8)" - -- title: Additional security features in Windows 10 - - items: - - - type: paragraph - - text: 'These additional security features are also built in to Windows 10 Enterprise.' - - - type: list - - style: unordered - - items: - - - html: Windows Defender Firewall - - html: Windows Defender Exploit Guard - - html: Windows Defender Credential Guard - - html: Windows Defender Application Control - - html: Windows Defender Application Guard - - html: Windows Defender SmartScreen - - html: Windows Defender Security Center - -- title: Security Resources - - items: - - - type: list - - style: unordered - - items: - - - html: Windows Defender Security Intelligence - - html: Microsoft Secure blog - - html: Security Update blog - - html: Microsoft Security Response Center (MSRC) - - html: MSRC Blog - - html: Ransomware FAQ - - + text: " + Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform. +
 
+ + + + + + + +
Attack surface reductionNext generation protectionEndpoint detection and responseAuto investigation and remediationSecurity posture
[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)

[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)

[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)

[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)

[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)

[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)

[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)		[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)

[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)

[Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)		[Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)

[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)

[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)

[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)

[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)

[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)

[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)		[Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)

[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)

[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)

[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)		[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)

[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)
" \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md index 29a5d2fc39..66780914d3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 05/03/2018 +ms.date: 07/10/2018 --- # BitLocker To Go FAQ @@ -18,5 +18,7 @@ ms.date: 05/03/2018 ## What is BitLocker To Go? -BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. +BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. + +As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel. diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index d871cf396b..1edcded5ee 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 05/03/2018 +ms.date: 07/10/2018 --- # Using BitLocker with other programs FAQ @@ -89,11 +89,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. - With TPM - Yes it is supported -- Without TPM - Yes it is supported (with password ) protector +- Without TPM - Yes it is supported (with password protector) -BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. +BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. ## Can I use BitLocker with virtual machines (VMs)? -Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. +Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 1fa8a3afba..0743b419b6 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -41,10 +41,7 @@ The recovery process included in this topic only works for desktop devices. WIP >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - - >[!Note] - >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). ## Verify your data recovery certificate is correctly set up on a WIP client computer @@ -52,7 +49,7 @@ The recovery process included in this topic only works for desktop devices. WIP 2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. -3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: +3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: cipher /c filename diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 10ad578044..a293cb908b 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -8,7 +8,7 @@ ms.pagetype: security author: justinha ms.author: justinha ms.localizationpriority: medium -ms.date: 05/30/2018 +ms.date: 07/10/2018 --- # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune @@ -379,7 +379,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor 1. From the **App policy** blade, click the name of your policy, and then click **Required settings**. -2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area. +2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add domains, for example your email domains, you can do it in the **Advanced settings** area. ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) @@ -487,7 +487,7 @@ After you've decided where your protected apps can access enterprise data on you - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - **On (recommended).** Turns on the feature and provides the additional protection. + - **On.** Turns on the feature and provides the additional protection. - **Off, or not configured.** Doesn't enable this feature. @@ -497,7 +497,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + - **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. @@ -509,6 +509,12 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. + - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. + + - **On.** Starts Windows Search Indexer to index encrypted files. + + - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. + ## Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png index 517c4a4ad3..7fff387ab2 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index 7775888473..cd8e0d0388 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png index c467cd1e24..752ea852ce 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png index bdd625c9c6..734f23b46c 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png differ diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 8ece2a49c9..40b7f2653a 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1,876 +1,916 @@ # [Threat protection](index.md) -## [The Windows Defender Security Center app](windows-defender-security-center/windows-defender-security-center.md) -### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md) -### [Hide Windows Defender Security Center app notifications](windows-defender-security-center/wdsc-hide-notifications.md) -### [Manage Windows Defender Security Center in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md) -### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md) -### [Account protection](windows-defender-security-center\wdsc-account-protection.md) -### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md) -### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md) -### [Device security](windows-defender-security-center\wdsc-device-security.md) -### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md) -### [Family options](windows-defender-security-center\wdsc-family-options.md) - ## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) -###Get started -#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md) -#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md) -#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) -#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) -#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) -#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) -### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -#### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md) -#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) -##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune) -##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) -##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) -#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) -#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md) -#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) -#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) -#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) -#### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md) -#### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md) -#### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md) +####Get started +##### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md) +##### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +##### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) +##### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) +##### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) +#### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) +##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) +###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune) +###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) +###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) +##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) +##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md) +##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +#### [Understand the portal ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) +##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) +##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) -###Investigate and remediate threats -####Alerts queue -##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) -##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md) -##### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md) -##### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md) -##### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md) +####Investigate and remediate threats +#####Alerts queue +###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) +###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) +###### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) +###### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md) +###### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md) +###### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md) +###### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md) -####Machines list -##### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) -##### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) -##### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) -##### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) -###### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) -###### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -###### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -###### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +#####Machines list +###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) +###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) +###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) +###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) +####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) +####### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) +####### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) +####### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) -#### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) -##### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) -###### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) -###### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) -###### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) -###### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -###### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) -###### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -##### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) -###### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) -###### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) -###### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) -###### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -###### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -####### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) -####### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) -####### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +##### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) +###### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md) +####### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) +####### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) +####### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) +####### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) +####### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) +####### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) +####### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -#### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md) -#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md) -##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md) -##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +###### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) +####### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) +####### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +####### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) +####### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +####### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) +######## [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) +######## [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) +######## [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) + +###### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md) +###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md) +####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md) +####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) -### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) +#### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) -###API and SIEM support -#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) -##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) -##### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) -##### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md) -##### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) -##### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) +####API and SIEM support +##### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) +###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) +###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) +###### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md) +###### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) +###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) -#### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -##### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) -##### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) -##### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) -##### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) -##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) -######Actor -####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) -####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -######Alerts -####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) -####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -######Domain -####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) -####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) +##### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) +###### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) +###### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) +###### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) +###### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) +#######Actor +######## [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) +######## [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +#######Alerts +######## [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) +######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +######## [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +########Domain +######### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +######### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) +######### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) +######### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) -######File -####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) -####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) -####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) -####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) -####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) +#######File +######## [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) +######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) +######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) +######## [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) +######## [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) -######IP -####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) -####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) -######Machines -####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) -####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) -####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) -####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) -####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) -####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) -####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) -####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) +#######IP +######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) +######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) +#######Machines +######## [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) +######## [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) +######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) +######## [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) +######## [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) +######## [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) +######## [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) +######## [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) -######User -####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) -####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) +#######User +######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +######## [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) +######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) -###Reporting -#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) +####Reporting +##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) -###Check service health and sensor state -#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) +####Check service health and sensor state +##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) ##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) ##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) -### [Configure Windows Defender ATP Settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) - -####General -##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md) -##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) -##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) -##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md) -##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) +##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) -####Permissions -##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md) -##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md) - -####APIs -##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) - -####Rules -##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md) -##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) - -####Machine management -##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md) - -### [Configure Windows Defender ATP time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md) - -### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) -### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) -#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) -### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) - -## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) -### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md) - -### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md) -#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md) +####[Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) +#####General +###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md) +###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) +###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) +###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md) +###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) -### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md) +#####Permissions +###### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md) +###### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md) + +#####APIs +###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) + +#####Rules +###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md) +###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) +###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) + +#####Machine management +###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) +###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md) + +#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md) + +#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) +#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) +##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) +#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) + +### [Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) +#### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) +#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md) + +#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md) +##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md) -### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md) -#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) -##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) -#### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md) -##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) -#### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md) -##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md) -##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md) -##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md) -##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md) -##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md) -### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md) -#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md) -##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md) -##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md) -##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md) -##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md) -#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md) -##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md) -#### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md) -##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md) -##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md) -##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md) +#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md) +##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) +###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) +##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md) +###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) +##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md) +###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md) +###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md) +###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md) +###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md) +###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md) -#### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md) -##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md) -##### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md) -##### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md) -#### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md) -#### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md) -#### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md) -#### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md) -#### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md) -#### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md) +#### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md) +##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +###### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md) +###### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md) +###### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md) +###### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md) +###### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md) +##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md) +###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) +###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md) +##### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md) +###### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md) +###### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md) +###### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md) + + +#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md) +##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md) +###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md) +##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md) +##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md) +##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md) +##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md) +##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md) +##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md) #### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md) -### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md) +##### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md) -### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md) -#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md) -#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md) -#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md) -#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) -#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) +##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md) +###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md) +###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md) +###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) +###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) -## [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) -## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md) -### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md) -#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md) -#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md) -### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md) -#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md) -#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md) -#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md) -#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md) -##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) -### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) + + + + + + + + + + + + + +### [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md) +#### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md) +##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md) +##### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md) +#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md) +##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md) +##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md) +##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md) +##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md) +###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) +##### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md) +###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md) +#### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) #### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) #### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) #### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) #### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md) -### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) +#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) #### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md) #### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md) #### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md) -### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) +#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) #### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md) #### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md) #### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md) -### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md) -#### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -#### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md) -## [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md) - -## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) - -## [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - -## [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) -### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) -### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) - -##[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md) -###[System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md) -###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) -###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md) -###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md) -###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md) - -## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) - -## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) - -## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) - -## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) - -## [Security auditing](auditing/security-auditing-overview.md) -### [Basic security audit policies](auditing/basic-security-audit-policies.md) -#### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md) -#### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md) -#### [View the security event log](auditing/view-the-security-event-log.md) -#### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md) -##### [Audit account logon events](auditing/basic-audit-account-logon-events.md) -##### [Audit account management](auditing/basic-audit-account-management.md) -##### [Audit directory service access](auditing/basic-audit-directory-service-access.md) -##### [Audit logon events](auditing/basic-audit-logon-events.md) -##### [Audit object access](auditing/basic-audit-object-access.md) -##### [Audit policy change](auditing/basic-audit-policy-change.md) -##### [Audit privilege use](auditing/basic-audit-privilege-use.md) -##### [Audit process tracking](auditing/basic-audit-process-tracking.md) -##### [Audit system events](auditing/basic-audit-system-events.md) -### [Advanced security audit policies](auditing/advanced-security-auditing.md) -#### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) -#### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) -##### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) -#### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -##### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) -##### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md) -##### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md) -##### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md) -##### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md) -##### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md) -##### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md) -##### [Monitor claim types](auditing/monitor-claim-types.md) -#### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md) -##### [Audit Credential Validation](auditing/audit-credential-validation.md) -###### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md) -###### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md) -###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md) -###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md) -##### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md) -###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md) -###### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md) -###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md) -##### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md) -###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md) -###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md) -###### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md) -##### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md) -##### [Audit Application Group Management](auditing/audit-application-group-management.md) -##### [Audit Computer Account Management](auditing/audit-computer-account-management.md) -###### [Event 4741 S: A computer account was created.](auditing/event-4741.md) -###### [Event 4742 S: A computer account was changed.](auditing/event-4742.md) -###### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md) -##### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md) -###### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md) -###### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md) -###### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md) -###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) -###### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) -##### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) -###### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md) -###### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) -##### [Audit Security Group Management](auditing/audit-security-group-management.md) -###### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) -###### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md) -###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md) -###### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md) -###### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md) -###### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md) -###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md) -##### [Audit User Account Management](auditing/audit-user-account-management.md) -###### [Event 4720 S: A user account was created.](auditing/event-4720.md) -###### [Event 4722 S: A user account was enabled.](auditing/event-4722.md) -###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md) -###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md) -###### [Event 4725 S: A user account was disabled.](auditing/event-4725.md) -###### [Event 4726 S: A user account was deleted.](auditing/event-4726.md) -###### [Event 4738 S: A user account was changed.](auditing/event-4738.md) -###### [Event 4740 S: A user account was locked out.](auditing/event-4740.md) -###### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md) -###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md) -###### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md) -###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md) -###### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md) -###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md) -###### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md) -###### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md) -###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md) -##### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md) -###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md) -###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md) -###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md) -###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md) -##### [Audit PNP Activity](auditing/audit-pnp-activity.md) -###### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md) -###### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md) -###### [Event 6420 S: A device was disabled.](auditing/event-6420.md) -###### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md) -###### [Event 6422 S: A device was enabled.](auditing/event-6422.md) -###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md) -###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md) -##### [Audit Process Creation](auditing/audit-process-creation.md) -###### [Event 4688 S: A new process has been created.](auditing/event-4688.md) -###### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md) -##### [Audit Process Termination](auditing/audit-process-termination.md) -###### [Event 4689 S: A process has exited.](auditing/event-4689.md) -##### [Audit RPC Events](auditing/audit-rpc-events.md) -###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md) -##### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md) -###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md) -###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md) -###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md) -###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md) -###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md) -###### [Event 4935 F: Replication failure begins.](auditing/event-4935.md) -###### [Event 4936 S: Replication failure ends.](auditing/event-4936.md) -###### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md) -##### [Audit Directory Service Access](auditing/audit-directory-service-access.md) -###### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md) -###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) -##### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md) -###### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md) -###### [Event 5137 S: A directory service object was created.](auditing/event-5137.md) -###### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md) -###### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md) -###### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md) -##### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md) -###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md) -###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md) -##### [Audit Account Lockout](auditing/audit-account-lockout.md) -###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) -##### [Audit User/Device Claims](auditing/audit-user-device-claims.md) -###### [Event 4626 S: User/Device claims information.](auditing/event-4626.md) -##### [Audit Group Membership](auditing/audit-group-membership.md) -###### [Event 4627 S: Group membership information.](auditing/event-4627.md) -##### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md) -##### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md) -##### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md) -##### [Audit Logoff](auditing/audit-logoff.md) -###### [Event 4634 S: An account was logged off.](auditing/event-4634.md) -###### [Event 4647 S: User initiated logoff.](auditing/event-4647.md) -##### [Audit Logon](auditing/audit-logon.md) -###### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md) -###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) -###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md) -###### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md) -##### [Audit Network Policy Server](auditing/audit-network-policy-server.md) -##### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md) -###### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md) -###### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md) -###### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md) -###### [Event 4800 S: The workstation was locked.](auditing/event-4800.md) -###### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md) -###### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md) -###### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md) -###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md) -###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md) -###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md) -##### [Audit Special Logon](auditing/audit-special-logon.md) -###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md) -###### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md) -##### [Audit Application Generated](auditing/audit-application-generated.md) -##### [Audit Certification Services](auditing/audit-certification-services.md) -##### [Audit Detailed File Share](auditing/audit-detailed-file-share.md) -###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md) -##### [Audit File Share](auditing/audit-file-share.md) -###### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md) -###### [Event 5142 S: A network share object was added.](auditing/event-5142.md) -###### [Event 5143 S: A network share object was modified.](auditing/event-5143.md) -###### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md) -###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md) -##### [Audit File System](auditing/audit-file-system.md) -###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -###### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -###### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md) -###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -###### [Event 5051: A file was virtualized.](auditing/event-5051.md) -###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -##### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md) -###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md) -###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md) -###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md) -###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md) -###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md) -###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md) -###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md) -###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md) -###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md) -##### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md) -###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md) -###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md) -##### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md) -###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md) -##### [Audit Kernel Object](auditing/audit-kernel-object.md) -###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -###### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -##### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md) -###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md) -###### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md) -###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md) -###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md) -###### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md) -###### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md) -###### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md) -###### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md) -###### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md) -###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md) -###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md) -###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md) -##### [Audit Registry](auditing/audit-registry.md) -###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -###### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -###### [Event 4657 S: A registry value was modified.](auditing/event-4657.md) -###### [Event 5039: A registry key was virtualized.](auditing/event-5039.md) -###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -##### [Audit Removable Storage](auditing/audit-removable-storage.md) -##### [Audit SAM](auditing/audit-sam.md) -###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) -##### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md) -###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md) -##### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md) -###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md) -###### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md) -###### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md) -###### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md) -###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md) -###### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md) -###### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md) -###### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md) -###### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md) -###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md) -##### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md) -###### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md) -###### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md) -###### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md) -###### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md) -###### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md) -###### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md) -###### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md) -###### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md) -###### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md) -###### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md) -###### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md) -##### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md) -###### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md) -###### [Event 4704 S: A user right was assigned.](auditing/event-4704.md) -###### [Event 4705 S: A user right was removed.](auditing/event-4705.md) -###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -###### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md) -###### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md) -##### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md) -##### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md) -###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md) -###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md) -###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md) -###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md) -###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md) -###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md) -###### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md) -###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md) -###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md) -###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md) -###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md) -###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md) -###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md) -###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md) -##### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md) -###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md) -###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md) -###### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md) -###### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md) -###### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md) -###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md) -###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md) -###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md) -###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md) -###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md) -###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md) -###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md) -###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md) -###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md) -###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md) -###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md) -##### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md) -###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) -###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) -###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -##### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md) -###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) -###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) -###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -##### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md) -###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -##### [Audit IPsec Driver](auditing/audit-ipsec-driver.md) -##### [Audit Other System Events](auditing/audit-other-system-events.md) -###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md) -###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md) -###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md) -###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md) -###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md) -###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md) -###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md) -###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md) -###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md) -###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md) -###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md) -###### [Event 5058 S, F: Key file operation.](auditing/event-5058.md) -###### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md) -###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md) -###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md) -###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md) -###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md) -###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md) -###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md) -###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md) -###### [Event 6407: 1%.](auditing/event-6407.md) -###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md) -###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md) -##### [Audit Security State Change](auditing/audit-security-state-change.md) -###### [Event 4608 S: Windows is starting up.](auditing/event-4608.md) -###### [Event 4616 S: The system time was changed.](auditing/event-4616.md) -###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md) -##### [Audit Security System Extension](auditing/audit-security-system-extension.md) -###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md) -###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md) -###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md) -###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md) -###### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md) -##### [Audit System Integrity](auditing/audit-system-integrity.md) -###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md) -###### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md) -###### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md) -###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md) -###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md) -###### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md) -###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md) -###### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md) -###### [Event 5060 F: Verification operation failed.](auditing/event-5060.md) -###### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md) -###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md) -###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md) -##### [Other Events](auditing/other-events.md) -###### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md) -###### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md) -###### [Event 1104 S: The security log is now full.](auditing/event-1104.md) -###### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md) -###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md) -##### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md) -##### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md) -##### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md) - -## [Security policy settings](security-policy-settings/security-policy-settings.md) -### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md) -#### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md) -### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md) -### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md) -#### [Account Policies](security-policy-settings/account-policies.md) -##### [Password Policy](security-policy-settings/password-policy.md) -###### [Enforce password history](security-policy-settings/enforce-password-history.md) -###### [Maximum password age](security-policy-settings/maximum-password-age.md) -###### [Minimum password age](security-policy-settings/minimum-password-age.md) -###### [Minimum password length](security-policy-settings/minimum-password-length.md) -###### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md) -###### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md) -##### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md) -###### [Account lockout duration](security-policy-settings/account-lockout-duration.md) -###### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md) -###### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md) -##### [Kerberos Policy](security-policy-settings/kerberos-policy.md) -###### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md) -###### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md) -###### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md) -###### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md) -###### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md) -#### [Audit Policy](security-policy-settings/audit-policy.md) -#### [Security Options](security-policy-settings/security-options.md) -##### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md) -##### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) -##### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md) -##### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) -##### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md) -##### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md) -##### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md) -##### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md) -##### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md) -##### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) -##### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) -##### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) -##### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md) -##### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md) -##### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md) -##### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) -##### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md) -##### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md) -##### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md) -##### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md) -##### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) -##### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md) -##### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md) -##### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md) -##### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md) -##### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md) -##### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md) -##### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md) -##### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md) -##### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md) -##### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md) -##### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md) -##### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md) -##### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md) -##### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) -##### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md) -##### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) -##### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md) -##### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md) -##### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md) -##### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md) -##### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md) -##### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md) -##### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md) -##### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md) -##### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md) -##### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md) -##### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md) -##### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md) -##### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md) -##### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md) -##### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md) -##### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md) -##### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md) -##### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md) -##### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md) -##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md) -##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md) -##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) -##### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) -##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md) -##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md) -##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) -##### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md) -##### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md) -##### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md) -##### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md) -##### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md) -##### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md) -##### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md) -##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md) -##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md) -##### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) -##### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) -##### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) -##### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) -##### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md) -##### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) -##### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) -##### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md) -##### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md) -##### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md) -##### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md) -##### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md) -##### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md) -##### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md) -##### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md) -##### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md) -##### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md) -##### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md) -##### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md) -##### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md) -##### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) -##### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md) -##### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md) -##### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) -##### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md) -##### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) -##### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md) -#### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md) -#### [User Rights Assignment](security-policy-settings/user-rights-assignment.md) -##### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md) -##### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md) -##### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md) -##### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md) -##### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md) -##### [Allow log on locally](security-policy-settings/allow-log-on-locally.md) -##### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md) -##### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md) -##### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md) -##### [Change the system time](security-policy-settings/change-the-system-time.md) -##### [Change the time zone](security-policy-settings/change-the-time-zone.md) -##### [Create a pagefile](security-policy-settings/create-a-pagefile.md) -##### [Create a token object](security-policy-settings/create-a-token-object.md) -##### [Create global objects](security-policy-settings/create-global-objects.md) -##### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md) -##### [Create symbolic links](security-policy-settings/create-symbolic-links.md) -##### [Debug programs](security-policy-settings/debug-programs.md) -##### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md) -##### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md) -##### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md) -##### [Deny log on locally](security-policy-settings/deny-log-on-locally.md) -##### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md) -##### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md) -##### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md) -##### [Generate security audits](security-policy-settings/generate-security-audits.md) -##### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md) -##### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md) -##### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md) -##### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md) -##### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md) -##### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md) -##### [Log on as a service](security-policy-settings/log-on-as-a-service.md) -##### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md) -##### [Modify an object label](security-policy-settings/modify-an-object-label.md) -##### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md) -##### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md) -##### [Profile single process](security-policy-settings/profile-single-process.md) -##### [Profile system performance](security-policy-settings/profile-system-performance.md) -##### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md) -##### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md) -##### [Restore files and directories](security-policy-settings/restore-files-and-directories.md) -##### [Shut down the system](security-policy-settings/shut-down-the-system.md) -##### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md) -##### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) -## [Windows security baselines](windows-security-baselines.md) +### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md) + + + + + + +### [Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md) +#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md) +#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) +#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md) +#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md) +#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md) + + +## Other security features +### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md) +#### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md) +#### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md) +#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md) +#### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md) +#### [Account protection](windows-defender-security-center\wdsc-account-protection.md) +#### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md) +#### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md) +#### [Device security](windows-defender-security-center\wdsc-device-security.md) +#### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md) +#### [Family options](windows-defender-security-center\wdsc-family-options.md) + + +### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) +#### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) +#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) + + +### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) + + +### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) + +### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) + +### [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) + +### [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) + +### [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) + +### [Security auditing](auditing/security-auditing-overview.md) + +#### [Basic security audit policies](auditing/basic-security-audit-policies.md) +##### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md) +##### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md) +##### [View the security event log](auditing/view-the-security-event-log.md) + +##### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md) +###### [Audit account logon events](auditing/basic-audit-account-logon-events.md) +###### [Audit account management](auditing/basic-audit-account-management.md) +###### [Audit directory service access](auditing/basic-audit-directory-service-access.md) +###### [Audit logon events](auditing/basic-audit-logon-events.md) +###### [Audit object access](auditing/basic-audit-object-access.md) +###### [Audit policy change](auditing/basic-audit-policy-change.md) +###### [Audit privilege use](auditing/basic-audit-privilege-use.md) +###### [Audit process tracking](auditing/basic-audit-process-tracking.md) +###### [Audit system events](auditing/basic-audit-system-events.md) + +##### [Advanced security audit policies](auditing/advanced-security-auditing.md) +###### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) +###### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) +####### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) + +###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) +####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) +####### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md) +####### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md) +####### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md) +####### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md) +####### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md) +####### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md) +####### [Monitor claim types](auditing/monitor-claim-types.md) + +###### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md) +####### [Audit Credential Validation](auditing/audit-credential-validation.md) +####### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md) +####### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md) +####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md) +####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md) +###### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md) +####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md) +####### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md) +####### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md) +###### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md) +####### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md) +####### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md) +####### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md) +###### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md) +###### [Audit Application Group Management](auditing/audit-application-group-management.md) +###### [Audit Computer Account Management](auditing/audit-computer-account-management.md) +####### [Event 4741 S: A computer account was created.](auditing/event-4741.md) +####### [Event 4742 S: A computer account was changed.](auditing/event-4742.md) +####### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md) +###### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md) +####### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md) +####### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md) +####### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md) +####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) +####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) +###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) +####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md) +####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) +###### [Audit Security Group Management](auditing/audit-security-group-management.md) +####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) +####### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md) +####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md) +####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md) +####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md) +####### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md) +####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md) +###### [Audit User Account Management](auditing/audit-user-account-management.md) +####### [Event 4720 S: A user account was created.](auditing/event-4720.md) +####### [Event 4722 S: A user account was enabled.](auditing/event-4722.md) +####### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md) +####### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md) +####### [Event 4725 S: A user account was disabled.](auditing/event-4725.md) +####### [Event 4726 S: A user account was deleted.](auditing/event-4726.md) +####### [Event 4738 S: A user account was changed.](auditing/event-4738.md) +####### [Event 4740 S: A user account was locked out.](auditing/event-4740.md) +####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md) +####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md) +####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md) +####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md) +####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md) +####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md) +####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md) +####### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md) +####### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md) +###### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md) +####### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md) +####### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md) +####### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md) +####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md) +###### [Audit PNP Activity](auditing/audit-pnp-activity.md) +####### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md) +####### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md) +####### [Event 6420 S: A device was disabled.](auditing/event-6420.md) +####### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md) +####### [Event 6422 S: A device was enabled.](auditing/event-6422.md) +####### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md) +####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md) +###### [Audit Process Creation](auditing/audit-process-creation.md) +####### [Event 4688 S: A new process has been created.](auditing/event-4688.md) +####### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md) +###### [Audit Process Termination](auditing/audit-process-termination.md) +####### [Event 4689 S: A process has exited.](auditing/event-4689.md) +###### [Audit RPC Events](auditing/audit-rpc-events.md) +####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md) +###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md) +####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md) +####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md) +####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md) +####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md) +####### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md) +####### [Event 4935 F: Replication failure begins.](auditing/event-4935.md) +####### [Event 4936 S: Replication failure ends.](auditing/event-4936.md) +####### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md) +###### [Audit Directory Service Access](auditing/audit-directory-service-access.md) +####### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md) +####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) +###### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md) +####### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md) +####### [Event 5137 S: A directory service object was created.](auditing/event-5137.md) +####### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md) +####### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md) +####### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md) +###### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md) +####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md) +####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md) +###### [Audit Account Lockout](auditing/audit-account-lockout.md) +####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) +###### [Audit User/Device Claims](auditing/audit-user-device-claims.md) +####### [Event 4626 S: User/Device claims information.](auditing/event-4626.md) +###### [Audit Group Membership](auditing/audit-group-membership.md) +####### [Event 4627 S: Group membership information.](auditing/event-4627.md) +###### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md) +###### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md) +###### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md) +###### [Audit Logoff](auditing/audit-logoff.md) +####### [Event 4634 S: An account was logged off.](auditing/event-4634.md) +####### [Event 4647 S: User initiated logoff.](auditing/event-4647.md) +###### [Audit Logon](auditing/audit-logon.md) +####### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md) +####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) +####### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md) +####### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md) +###### [Audit Network Policy Server](auditing/audit-network-policy-server.md) +###### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md) +####### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md) +####### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md) +####### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md) +####### [Event 4800 S: The workstation was locked.](auditing/event-4800.md) +####### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md) +####### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md) +####### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md) +####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md) +####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md) +####### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md) +###### [Audit Special Logon](auditing/audit-special-logon.md) +####### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md) +####### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md) +###### [Audit Application Generated](auditing/audit-application-generated.md) +###### [Audit Certification Services](auditing/audit-certification-services.md) +###### [Audit Detailed File Share](auditing/audit-detailed-file-share.md) +####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md) +###### [Audit File Share](auditing/audit-file-share.md) +####### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md) +####### [Event 5142 S: A network share object was added.](auditing/event-5142.md) +####### [Event 5143 S: A network share object was modified.](auditing/event-5143.md) +####### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md) +####### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md) +###### [Audit File System](auditing/audit-file-system.md) +####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) +####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) +####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) +####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) +####### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md) +####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) +####### [Event 5051: A file was virtualized.](auditing/event-5051.md) +####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) +###### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md) +####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md) +####### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md) +####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md) +####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md) +####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md) +####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md) +####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md) +####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md) +####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md) +###### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md) +####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md) +####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md) +###### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md) +####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md) +###### [Audit Kernel Object](auditing/audit-kernel-object.md) +####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) +####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) +####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) +####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) +###### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md) +####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md) +####### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md) +####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md) +####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md) +####### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md) +####### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md) +####### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md) +####### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md) +####### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md) +####### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md) +####### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md) +####### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md) +###### [Audit Registry](auditing/audit-registry.md) +####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) +####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) +####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) +####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) +####### [Event 4657 S: A registry value was modified.](auditing/event-4657.md) +####### [Event 5039: A registry key was virtualized.](auditing/event-5039.md) +####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) +###### [Audit Removable Storage](auditing/audit-removable-storage.md) +###### [Audit SAM](auditing/audit-sam.md) +####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) +###### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md) +####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md) +###### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md) +####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) +####### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md) +####### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md) +####### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md) +####### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md) +####### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md) +####### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md) +####### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md) +####### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md) +####### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md) +####### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md) +###### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md) +####### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md) +####### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md) +####### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md) +####### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md) +####### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md) +####### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md) +####### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md) +####### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md) +####### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md) +####### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md) +####### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md) +###### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md) +####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md) +####### [Event 4704 S: A user right was assigned.](auditing/event-4704.md) +####### [Event 4705 S: A user right was removed.](auditing/event-4705.md) +####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) +####### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md) +####### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md) +###### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md) +###### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md) +####### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md) +####### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md) +####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md) +####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md) +####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md) +####### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md) +####### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md) +####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md) +####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md) +####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md) +####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md) +####### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md) +####### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md) +####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md) +###### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md) +####### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md) +####### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md) +####### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md) +####### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md) +####### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md) +####### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md) +####### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md) +####### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md) +####### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md) +####### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md) +####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md) +####### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md) +####### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md) +####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md) +####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md) +####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md) +###### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md) +####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) +####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) +####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) +###### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md) +####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) +####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) +####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) +###### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md) +####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) +###### [Audit IPsec Driver](auditing/audit-ipsec-driver.md) +###### [Audit Other System Events](auditing/audit-other-system-events.md) +####### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md) +####### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md) +####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md) +####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md) +####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md) +####### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md) +####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md) +####### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md) +####### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md) +####### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md) +####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md) +####### [Event 5058 S, F: Key file operation.](auditing/event-5058.md) +####### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md) +####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md) +####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md) +####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md) +####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md) +####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md) +####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md) +####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md) +####### [Event 6407: 1%.](auditing/event-6407.md) +####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md) +####### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md) +###### [Audit Security State Change](auditing/audit-security-state-change.md) +####### [Event 4608 S: Windows is starting up.](auditing/event-4608.md) +####### [Event 4616 S: The system time was changed.](auditing/event-4616.md) +####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md) +###### [Audit Security System Extension](auditing/audit-security-system-extension.md) +####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md) +####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md) +####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md) +####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md) +####### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md) +###### [Audit System Integrity](auditing/audit-system-integrity.md) +####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md) +####### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md) +####### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md) +####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md) +####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md) +####### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md) +####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md) +####### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md) +####### [Event 5060 F: Verification operation failed.](auditing/event-5060.md) +####### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md) +####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md) +####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md) +###### [Other Events](auditing/other-events.md) +####### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md) +####### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md) +####### [Event 1104 S: The security log is now full.](auditing/event-1104.md) +####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md) +####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md) +###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md) +###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md) +###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md) + + + + + +#### [Security policy settings](security-policy-settings/security-policy-settings.md) +#### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md) +##### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md) +#### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md) +#### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md) +##### [Account Policies](security-policy-settings/account-policies.md) +###### [Password Policy](security-policy-settings/password-policy.md) +####### [Enforce password history](security-policy-settings/enforce-password-history.md) +####### [Maximum password age](security-policy-settings/maximum-password-age.md) +####### [Minimum password age](security-policy-settings/minimum-password-age.md) +####### [Minimum password length](security-policy-settings/minimum-password-length.md) +####### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md) +####### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md) +###### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md) +####### [Account lockout duration](security-policy-settings/account-lockout-duration.md) +####### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md) +####### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md) +###### [Kerberos Policy](security-policy-settings/kerberos-policy.md) +####### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md) +####### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md) +####### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md) +####### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md) +####### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md) +##### [Audit Policy](security-policy-settings/audit-policy.md) +##### [Security Options](security-policy-settings/security-options.md) +###### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md) +###### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) +###### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md) +###### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) +###### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md) +###### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md) +###### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md) +###### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md) +###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md) +###### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) +###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) +###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) +###### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md) +###### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md) +###### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md) +###### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) +###### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md) +###### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md) +###### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md) +###### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md) +###### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) +###### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md) +###### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md) +###### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md) +###### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md) +###### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md) +###### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md) +###### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md) +###### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md) +###### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md) +###### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md) +###### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md) +###### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md) +###### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md) +###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) +###### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md) +###### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) +###### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md) +###### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md) +###### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md) +###### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md) +###### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md) +###### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md) +###### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md) +###### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md) +###### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md) +###### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md) +###### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md) +###### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md) +###### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md) +###### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md) +###### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md) +###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md) +###### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md) +###### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md) +###### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md) +###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md) +###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md) +###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) +###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) +###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md) +###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md) +###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) +###### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md) +###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md) +###### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md) +###### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md) +###### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md) +###### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md) +###### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md) +###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md) +###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md) +###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) +###### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) +###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) +###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) +###### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md) +###### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) +###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) +###### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md) +###### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md) +###### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md) +###### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md) +###### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md) +###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md) +###### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md) +###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md) +###### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md) +###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md) +###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md) +###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md) +###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md) +###### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) +###### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md) +###### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md) +###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) +###### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md) +###### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) +###### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md) +##### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md) +##### [User Rights Assignment](security-policy-settings/user-rights-assignment.md) +###### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md) +###### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md) +###### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md) +###### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md) +###### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md) +###### [Allow log on locally](security-policy-settings/allow-log-on-locally.md) +###### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md) +###### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md) +###### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md) +###### [Change the system time](security-policy-settings/change-the-system-time.md) +###### [Change the time zone](security-policy-settings/change-the-time-zone.md) +###### [Create a pagefile](security-policy-settings/create-a-pagefile.md) +###### [Create a token object](security-policy-settings/create-a-token-object.md) +###### [Create global objects](security-policy-settings/create-global-objects.md) +###### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md) +###### [Create symbolic links](security-policy-settings/create-symbolic-links.md) +###### [Debug programs](security-policy-settings/debug-programs.md) +###### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md) +###### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md) +###### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md) +###### [Deny log on locally](security-policy-settings/deny-log-on-locally.md) +###### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md) +###### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md) +###### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md) +###### [Generate security audits](security-policy-settings/generate-security-audits.md) +###### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md) +###### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md) +###### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md) +###### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md) +###### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md) +###### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md) +###### [Log on as a service](security-policy-settings/log-on-as-a-service.md) +###### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md) +###### [Modify an object label](security-policy-settings/modify-an-object-label.md) +###### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md) +###### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md) +###### [Profile single process](security-policy-settings/profile-single-process.md) +###### [Profile system performance](security-policy-settings/profile-system-performance.md) +###### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md) +###### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md) +###### [Restore files and directories](security-policy-settings/restore-files-and-directories.md) +###### [Shut down the system](security-policy-settings/shut-down-the-system.md) +###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md) +###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) + + + + + + +### [Windows security baselines](windows-security-baselines.md) ### [Security Compliance Toolkit](security-compliance-toolkit-10.md) ### [Get support](get-support-for-security-baselines.md) -## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) +### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ## [Change history for Threat protection](change-history-for-threat-protection.md) diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png new file mode 100644 index 0000000000..60725244e5 Binary files /dev/null and b/windows/security/threat-protection/images/wdatp-pillars2.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index f2c623bd85..b589ac9a69 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -10,19 +10,27 @@ ms.date: 02/05/2018 --- # Threat Protection +Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. + +![Windows Defender ATP components](images/wdatp-pillars2.png) + +The following capabilities are available across multiple products that make up the Windows Defender ATP platform. + +**Attack surface reduction**
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. + +**Next generation protection**
+To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. + +**Endpoint protection and response**
+Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. + +**Auto investigation and remediation**
+In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. + +**Security posture**
+Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. + + -Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile. -| Section | Description | -|-|-| -|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.| -|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| -|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.| -|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.| -|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).| -|[Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.| -|[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.| -|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.| -|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.| -|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. | -|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. | diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index fc4ba4c6b4..77cc805406 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- @@ -68,11 +68,9 @@ See [How to create and deploy antimalware policies: Scan settings]( https://docs **Use Microsoft Intune to configure scanning options** +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. - - ### Email scanning limitations diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index ca884944ee..9381eb05f6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- # Configure and validate exclusions based on file extension and folder location @@ -186,8 +186,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// **Use Microsoft Intune to configure file name, folder, or file extension exclusions:** - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 05684915fd..43501a9510 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- # Configure exclusions for files opened by processes @@ -142,8 +142,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// **Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:** @@ -173,7 +172,7 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 9ab2a46598..c409e9402c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- @@ -35,7 +35,7 @@ ms.date: 04/30/2018 When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. -This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings). +This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) to configure these settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 55ed3cb681..fa6dae36c3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/20/2017 +ms.date: 07/10/2018 --- # Detect and block Potentially Unwanted Applications @@ -107,8 +107,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Intune to configure the PUA protection feature** -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. - +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 52804b3481..da5b515967 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- # Enable cloud-delivered protection in Windows Defender AV @@ -108,25 +108,22 @@ See the following for more information and allowed parameters: **Use Intune to enable cloud-delivered protection** -1. Open the [Microsoft Intune administration console](https://manage.microsoft.com/), and navigate to the associated policy you want to configure. -2. Under the **Endpoint Protection** setting, scroll down to the **Endpoint Protection Service** section set the **Submit files automatically when further analysis is required** setting to either of the following: - 1. **Send samples automatically** - 1. **Send all samples automatically** +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +5. On the **Cloud-delivered protection** switch, select **Enable**. +6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. +7. In the **Submit samples consent** dropdown, select one of the following: + 1. **Send safe samples automatically** + 2. **Send all samples automatically** > [!WARNING] > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. -5. Scroll down to the **Microsoft Active Protection Service** section and set the following settings: - - Setting | Set to - --|-- - Join Microsoft Active Protection Service | Yes - Membership level | Advanced - Receive dynamic definitions based on Microsoft Active Protection Service reports | Yes +8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. + +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) -3. Save and [deploy the policy as usual](https://docs.microsoft.com/en-us/intune/deploy-use/common-windows-pc-management-tasks-with-the-microsoft-intune-computer-client). - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) for more details. - **Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app** > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index ba1fdde4da..79696c63e9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- # Report on Windows Defender Antivirus protection @@ -28,7 +28,7 @@ There are a number of ways you can review protection status and alerts, dependin -You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection). +You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 16d24853fc..151f4e6a10 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 07/10/2018 --- # Review Windows Defender AV scan results @@ -83,7 +83,9 @@ Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**] **Use Microsoft Intune to review Windows Defender AV scan results:** -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection). +1. In Intune, go to **Devices > All Devices** and select the device you want to scan. + +2. Click the scan results in **Device actions status**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 7849eb1cd6..4aa2447988 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 07/10/2018 --- @@ -98,8 +98,9 @@ See the following for more information and allowed parameters: **Use Microsoft Intune to run a scan:** +1. In Intune, go to **Devices > All Devices** and select the device you want to scan. -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +2. Select **...More** and then select **Quick Scan** or **Full Scan**. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 3bf361e0fd..4439eb8cb4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- @@ -43,7 +43,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings). +This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). To configure the Group Policy settings described in this topic: diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 336b74e40b..b019f68b3c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: jsuther1974 -ms.date: 06/14/2018 +ms.date: 07/10/2018 --- # Microsoft recommended block rules @@ -78,7 +78,7 @@ For October 2017, we are announcing an update to system.management.automation.dl Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: -``` +```xml 10.0.0.0 @@ -655,7 +655,33 @@ Microsoft recommends that you block the following Microsoft-signed applications - + + + + + + + + + + + + + + + + + + + + + + + + + + +