deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into wdac-restore

Browse Source
This commit is contained in:
Justin Hall
2018-05-17 09:33:31 -07:00
parent dfc0132ca1 87c9fabb35
commit 9d45333eb9
463 changed files with 3840 additions and 1241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/hardware-protection/tpm/tpm-recommendations.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: brianlic-msft
ms.date: 10/27/2017
ms.date: 05/16/2018
---
# TPM recommendations
@ -102,7 +102,9 @@ The following table defines which Windows features require TPM support.
| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot |
| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required |
| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
| Device Guard | No | Yes | Yes | |
| Windows Defender Application Control (Device Guard) | No | Yes | Yes | |
| Windows Defender Exploit Guard | Yes | Yes | Yes | |
| Windows Defender System Guard | Yes | Yes | Yes | |
| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. |
| Device Health Attestation| Yes | Yes | Yes | |
| Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. |

4
windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
View File

@ -25,7 +25,7 @@ On-premises deployments must use the On-premises Azure MFA Server using the AD F
## Prerequisites
The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet.
The Azure MFA Server and User Portal servers have several prerequisites and must have connectivity to the Internet.
### Primary MFA Server
@ -540,4 +540,4 @@ The Multi-Factor Authentication server communicates with the Azure MFA cloud ser
2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)

4
windows/security/identity-protection/vpn/vpn-profile-options.md
View File

@ -37,10 +37,10 @@ The following table lists the VPN settings and whether the setting can be config
| Name resolution: persistent | no |
| Auto-trigger: app trigger | yes |
| Auto-trigger: name trigger | yes |
| Auto-trigger: Always On | no |
| Auto-trigger: Always On | yes |
| Auto-trigger: trusted network detection | no |
| LockDown | no |
| Windows Information Protection (WIP) | no |
| Windows Information Protection (WIP) | yes |
| Traffic filters | yes |
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.

1
windows/security/information-protection/TOC.md
View File

@ -51,4 +51,5 @@
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md)

1
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -256,6 +256,7 @@ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the
For this example, were going to add an AppLocker XML file to the **Allowed apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of Allowed apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.

BIN
windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 215 KiB

BIN
windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 510 KiB

BIN
windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 406 KiB

BIN
windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 127 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 326 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 256 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 250 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

4
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
author: coreyp-at-msft
ms.localizationpriority: medium
ms.date: 09/11/2017
---
@ -120,7 +120,7 @@ WIP currently addresses these enterprise scenarios:
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isnt required.
### WIP-protection modes
### <a href="" id="bkmk-modes"></a>WIP-protection modes
Enterprise data is automatically encrypted after its loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list dont have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if its personally owned.

101
windows/security/information-protection/windows-information-protection/wip-learning.md Normal file
View File

@ -0,0 +1,101 @@
---
title:
# Fine-tune Windows Information Policy (WIP) with WIP Learning
description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
ms.pagetype: security
author: coreyp-at-msft
ms.localizationpriority: medium
ms.date: 04/18/2018
---
# Fine-tune Windows Information Protection (WIP) with WIP Learning
**Applies to:**
- Windows 10, version 1703 and later
- Windows 10 Mobile, version 1703 and later
With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
## Access the WIP Learning reports
1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter.
2. Choose **Intune** > **Mobile Apps**.
3. Choose **App protection status**.
4. Choose **Reports**.
![Image showing the UI path to the WIP report](images/access-wip-learning-report.png)
5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**.
![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png)
Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS).
## View the WIP app learning report in Microsoft Operations Management Suite
From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events:
![View in Intune of the link to OMS](images/wip-in-oms-console-link.png)
If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
>[!NOTE]
>Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention.
Once you have WIP policies in place, by using the WIP section of Device Health, you can:
- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png)
The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs.
![Details view](images/WIPNEW1-chart-selected-sterile.png)
In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy:
![Details view for a specific app](images/WIPappID-sterile.png)
Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies.
## Use OMS and Intune to adjust WIP protection policy
1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy.
2. Click the app you want to add to your policy and copy the publisher information from the app details screen.
3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to.
4. Click **Protected apps**, and then click **Add Apps**.
5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above.
![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
7. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required).
9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

5
windows/security/threat-protection/TOC.md
View File

@ -95,6 +95,9 @@
##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
###API and SIEM support
#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
@ -191,7 +194,7 @@
##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
##### [Protect data with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
####Permissions
##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)

8
windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
View File

@ -21,7 +21,9 @@ Describes the best practices, location, values, and security considerations for
The **Domain member: Maximum machine account password age** policy setting determines when a domain member submits a password change.
In Active Directorybased domains, each device has an account and password, just like every user. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
In Active Directorybased domains, each device has an account and password. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see [Machine Account Password Process](https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/).
### Possible values
@ -30,8 +32,8 @@ In Active Directorybased domains, each device has an account and password, ju
### Best practices
1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
2. If the machine's password has expired, it will no longer be able to authenticate with the domain. The easiest way to get authentication working again might require removing the device from the domain and then re-joining it. For this reason, some organizations create a special organizational unit (OU) for computers that are prebuilt and then stored for later use or shipped to remote locations, and change the value to more than 30 days.
It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites.
### Location

5
windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
View File

@ -67,8 +67,7 @@ Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) |
---|---|---|---|---|---|---
Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version
Block at first sight availability | No | Yes | Yes | Not configurable | Configurable | No
Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | No
Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | Configurable
You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
@ -81,4 +80,4 @@ You can also [configure Windows Defender AV to automatically receive new protect
[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy.
[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.

1
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -29,6 +29,7 @@
### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md)
## [AppLocker](applocker\applocker-overview.md)
### [Administer AppLocker](applocker\administer-applocker.md)

2
windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Audit Windows Defender Application Control policies

2
windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Create a Windows Defender Application Control policy from a reference computer

2
windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Disable Windows Defender Application Control policies

2
windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Enforce Windows Defender Application Control policies

2
windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Manage packaged apps with Windows Defender Application Control

2
windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Merge Windows Defender Application Control policies

82
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Microsoft recommended block rules
@ -79,30 +79,30 @@ Microsoft recommends that you block the following Microsoft-signed applications
```
<?xml version="1.0" encoding="utf-8" ?>
- <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
- <Rules>
- <Rule>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
- <Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
- <Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
- <Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
</Rules>
- <!-- EKUS
<!-- EKUS
-->
<EKUs />
- <!-- File Rules
<!-- File Rules
-->
- <FileRules>
<FileRules>
<Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion="4.21.0.0"/>
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
@ -159,7 +159,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_D_24" FriendlyName="Powershell 24" Hash="F16E605B55774CDFFDB0EB99FAFF43A40622ED2AB1C011D1195878F4B20030BC"/>
<Deny ID="ID_DENY_D_25" FriendlyName="Powershell 25" Hash="F29A958287788A6EEDE6035D49EF5CB85EEC40D214FDDE5A0C6CAA65AFC00EEC"/>
<Deny ID="ID_DENY_D_26" FriendlyName="Powershell 26" Hash="F875E43E12685ECE0BA2D42D55A13798CE9F1FFDE3CAE253D2529F4304811A52"/>
- <!-- System.Management.Automation.dll
<!-- System.Management.Automation.dll
-->
<Deny ID="ID_DENY_D_27" FriendlyName="PowerShell 27" Hash="720D826A84284E18E0003526A0CD9B7FF0C4A98A"/>
<Deny ID="ID_DENY_D_28" FriendlyName="PowerShell 28" Hash="CB5DF9D0D25571948C3D257882E07C7FA5E768448E0DEBF637E110F9FF575808"/>
@ -383,103 +383,103 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_D_246" FriendlyName="PowerShell 246" Hash="0C4688AACD02829850DE0F792AC06D3C87895412A910EA76F7F9BF31B3B4A3E9"/>
<Deny ID="ID_DENY_D_247" FriendlyName="PowerShell 247" Hash="6DC048AFA50B5B1B0AD7DD3125AC83D46FED730A"/>
<Deny ID="ID_DENY_D_248" FriendlyName="PowerShell 248" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
- <!-- pubprn.vbs
<!-- pubprn.vbs
-->
- <!-- rs2 x86fre
<!-- rs2 x86fre
-->
<Deny ID="ID_DENY_D_249" FriendlyName="PubPrn 249" Hash="68E96BE23748AA680D5E1E557778901F332ED5D3"/>
<Deny ID="ID_DENY_D_250" FriendlyName="PubPrn 250" Hash="8FA30B5931806565C2058E565C06AD5F1C5A48CDBE609975EB31207C25214063"/>
- <!-- rs2 amd64fre
<!-- rs2 amd64fre
-->
<Deny ID="ID_DENY_D_251" FriendlyName="PubPrn 251" Hash="32C4B29FE428B1DF473F3F4FECF519D285E93521"/>
<Deny ID="ID_DENY_D_252" FriendlyName="PubPrn 252" Hash="D44FB563198D60DFDC91608949FE2FADAD6161854D084EB1968C558AA36513C7"/>
- <!-- rs2 amd64chk
<!-- rs2 amd64chk
-->
<Deny ID="ID_DENY_D_253" FriendlyName="PubPrn 253" Hash="9EDBEF086D350863F29175F5AB5178B88B142C75"/>
<Deny ID="ID_DENY_D_254" FriendlyName="PubPrn 254" Hash="9B22C98351F2B6DEDDCED0D805C65F5B166FF519A8DF41EB242CB909471892EB"/>
- <!-- rs2 x86chk
<!-- rs2 x86chk
-->
<Deny ID="ID_DENY_D_255" FriendlyName="PubPrn 255" Hash="8A3B30F345C43246B3500721CFEEADBAC6B9D9C6"/>
<Deny ID="ID_DENY_D_256" FriendlyName="PubPrn 256" Hash="37C20BF20A2BBACE50957F8D0AB3FD16174BC005E79D47E51E899AFD9E4B7724"/>
- <!-- rs2 woafre
<!-- rs2 woafre
-->
<Deny ID="ID_DENY_D_257" FriendlyName="PubPrn 257" Hash="C659DAD2B37375781E2D584E16AAE2A10B5A1156"/>
<Deny ID="ID_DENY_D_258" FriendlyName="PubPRn 258" Hash="EBDACA86F10AC0446D60CC75628EC7A370B1E2236E6D20F22372F91033B6D429"/>
- <!-- rs3 amd64chk
<!-- rs3 amd64chk
-->
<Deny ID="ID_DENY_D_259" FriendlyName="PubPrn 259" Hash="C9D6394BBFF8CD9C6590F08C54EC6AFDEB5CFFB4"/>
<Deny ID="ID_DENY_D_260" FriendlyName="PubPrn 260" Hash="518E4EA7A2B70713E1AEC6E7E75A488C39384B625C5F2779073E9294CBF2BD9F"/>
- <!-- rs3 amd64fre
<!-- rs3 amd64fre
-->
<Deny ID="ID_DENY_D_261" FriendlyName="PubPrn 261" Hash="C9D6394BBFF8CD9C6590F08C54EC6AFDEB5CFFB4"/>
<Deny ID="ID_DENY_D_262" FriendlyName="PubPrn 262" Hash="518E4EA7A2B70713E1AEC6E7E75A488C39384B625C5F2779073E9294CBF2BD9F"/>
- <!-- rs3 arm64chk
<!-- rs3 arm64chk
-->
<Deny ID="ID_DENY_D_263" FriendlyName="PubPrn 263" Hash="763A652217A1E30F2D288B7F44E08346949A02CD"/>
<Deny ID="ID_DENY_D_264" FriendlyName="PubPrn 264" Hash="FCDDA212B06602F642B29FC05316EF75E4EE9975E6E8A9526E842BE2EA237C5D"/>
- <!-- rs3 arm64fre
<!-- rs3 arm64fre
-->
<Deny ID="ID_DENY_D_265" FriendlyName="PubPrn 265" Hash="763A652217A1E30F2D288B7F44E08346949A02CD"/>
<Deny ID="ID_DENY_D_266" FriendlyName="PubPrn 266" Hash="FCDDA212B06602F642B29FC05316EF75E4EE9975E6E8A9526E842BE2EA237C5D"/>
- <!-- rs3 woachk
<!-- rs3 woachk
-->
<Deny ID="ID_DENY_D_267" FriendlyName="PubPrn 267" Hash="60FD28D770B23A0477679311D247DA4D5C61074C"/>
<Deny ID="ID_DENY_D_268" FriendlyName="PubPrn 268" Hash="D09A4B2EA611CDFDC6DCA44314289B622B2A5EDA09716EF4A16B91EC90BFBA8F"/>
- <!-- rs3 woafre
<!-- rs3 woafre
-->
<Deny ID="ID_DENY_D_269" FriendlyName="PubPrn 269" Hash="60FD28D770B23A0477679311D247DA4D5C61074C"/>
<Deny ID="ID_DENY_D_270" FriendlyName="PubPrn 270" Hash="D09A4B2EA611CDFDC6DCA44314289B622B2A5EDA09716EF4A16B91EC90BFBA8F"/>
- <!-- rs3 x86chk
<!-- rs3 x86chk
-->
<Deny ID="ID_DENY_D_271" FriendlyName="PubPrn 271" Hash="47CBE201ED224BF3F5C322F7A49EF64469AF2E1A"/>
<Deny ID="ID_DENY_D_272" FriendlyName="PubPrn 272" Hash="24855B9CC420719D5AB93F4F1589CE09E4063E4FC98681BD91A1D18A3C8ACB43"/>
- <!-- rs3 x86fre
<!-- rs3 x86fre
-->
<Deny ID="ID_DENY_D_273" FriendlyName="PubPrn 273" Hash="47CBE201ED224BF3F5C322F7A49EF64469AF2E1A"/>
<Deny ID="ID_DENY_D_274" FriendlyName="PubPrn 274" Hash="24855B9CC420719D5AB93F4F1589CE09E4063E4FC98681BD91A1D18A3C8ACB43"/>
- <!-- rs3 sxs amd64
<!-- rs3 sxs amd64
-->
<Deny ID="ID_DENY_D_275" FriendlyName="PubPrn 275" Hash="663D8E25BAE20510A882F6692BE2620FBABFB94E"/>
<Deny ID="ID_DENY_D_276" FriendlyName="PubPrn 276" Hash="649A9E5A4867A28C7D0934793F33B545F9441EA23872715C84826D80CC8EC576"/>
- <!-- rs3 sxs arm64
<!-- rs3 sxs arm64
-->
<Deny ID="ID_DENY_D_277" FriendlyName="PubPrn 277" Hash="226ABB2FBAEFC5A7E2A819D9D708F826C00FD215"/>
<Deny ID="ID_DENY_D_278" FriendlyName="PubPrn 278" Hash="AC6B35C904D388FD12C07C2F6A1A07F337D31895713BF01DCCE7A7F187D7F4D9"/>
- <!-- rs3 sxs woa
<!-- rs3 sxs woa
-->
<Deny ID="ID_DENY_D_279" FriendlyName="PubPrn 279" Hash="071D7849941E43144839988971255FE34690A747"/>
<Deny ID="ID_DENY_D_280" FriendlyName="PubPrn 280" Hash="5AF75895BDC11A6B68C816A8677D7CF9692BF25A95C4378A43FBDE740B18EEB1"/>
- <!-- rs3 sxs x86
<!-- rs3 sxs x86
-->
<Deny ID="ID_DENY_D_281" FriendlyName="PubPrn 281" Hash="9FBFF074C201BFEBE37710CB453EFF9A14AE3BFF"/>
<Deny ID="ID_DENY_D_282" FriendlyName="PubPrn 282" Hash="A0C71A925850D2D481C7E520F5D5A83305EC169EEA4C5B8DC20C8D8AFCD8A512"/>
- <!-- psworkflowutility.psm1
<!-- psworkflowutility.psm1
-->
- <!-- th1
<!-- th1
-->
<Deny ID="ID_DENY_D_283" FriendlyName="PSWorkflowUtility 283" Hash="4FBC9A72C5D5246F34994F13076A5AD98A1A844E"/>
<Deny ID="ID_DENY_D_284" FriendlyName="PSWorkflowUtility 284" Hash="7BF44433D3A606104778F64B11B92C52FC99C4BA570C50B70438275D0B587B8E"/>
- <!-- th2
<!-- th2
-->
<Deny ID="ID_DENY_D_285" FriendlyName="PSWorkflowUtility 285" Hash="99382ED8FA3577DFD903C01478A79D6D90681406"/>
<Deny ID="ID_DENY_D_286" FriendlyName="PSWorkflowUtility 286" Hash="C3A5DAB20947CA8FD092E75C25177E7BAE7884CA58710F14827144C09EA1F94B"/>
</FileRules>
- <!-- Signers
<!-- Signers
-->
<Signers />
- <!-- Driver Signing Scenarios
<!-- Driver Signing Scenarios
-->
- <SigningScenarios>
- <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Driver Signing Scenarios">
- <ProductSigners>
- <FileRulesRef>
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Driver Signing Scenarios">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_KD_KMCI"/>
</FileRulesRef>
</ProductSigners>
</SigningScenario>
- <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User Mode Signing Scenarios">
- <ProductSigners>
- <FileRulesRef>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User Mode Signing Scenarios">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_BGINFO"/>
<FileRuleRef RuleID="ID_DENY_CBD"/>
<FileRuleRef RuleID="ID_DENY_KD"/>

2
windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Use code signing to simplify application control for classic Windows applications

2
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Use signed policies to protect Windows Defender Application Control against tampering

2
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules

26
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/16/2018
---
# Planning and getting started on the Windows Defender Application Control deployment process
@ -60,5 +60,25 @@ This topic provides a roadmap for planning and getting started on the Windows De
8. Enable desired virtualization-based security (VBS) features. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control.
> [!WARNING]
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
## Known issues
This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
Test this configuration in your lab before enabling it in production.
### MSI Installations are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
For example, this command will not work:
```code
msiexec i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
```
As a workaround, download the MSI file and run it locally:
```code
msiexec i c:\temp\Windows10_Version_1511_ADMX.msi
```

2
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Windows Defender Application Control

22
windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md Normal file
View File

@ -0,0 +1,22 @@
---
title: Windows Defender Device Guard and AppLocker (Windows 10)
description: Explains how
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: jsuther1974
ms.date: 05/03/2018
---
# Windows Defender Device Guard with AppLocker
Although [AppLocker](applocker/applocker-overview.md) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when Windows Defender Application Control (WDAC) cannot be fully implemented or its functionality does not cover every desired scenario.
There are many scenarios in which WDAC would be used alongside AppLocker rules.
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
> [!NOTE]
> One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule.
AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible.
In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.

2
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -44,4 +44,4 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Professional, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.<br><br>**Note**<br>This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.|

13
windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
View File

@ -13,7 +13,8 @@ ms.date: 11/07/2017
# Frequently asked questions - Windows Defender Application Guard
**Applies to:**
- Windows 10 Enterpise edition, version 1709
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
@ -31,7 +32,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| | |
|---|----------------------------|
|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.<br><br>In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
<br>
| | |
@ -55,5 +56,11 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| | |
|---|----------------------------|
|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?|
|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to WDAG in RS3 (1709) and RS4 (1803).|
|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.|
<br>
| | |
|---|----------------------------|
|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?|
|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and well work with you to enable the feature.|
<br>

42
windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -12,11 +12,12 @@ ms.date: 10/19/2017
# Testing scenarios using Windows Defender Application Guard in your business or organization
**Applies to:**
- Windows 10 Enterpise edition, version 1709
We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
**Applies to:**
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
## Application Guard in standalone mode
You can see how an employee would use standalone mode with Application Guard.
@ -97,6 +98,10 @@ Application Guard provides the following default behavior for your employees:
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
**To change the copy and paste options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
@ -152,3 +157,34 @@ You have the option to change each of these settings to work with your enterpris
>[!NOTE]
>If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and arent shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>
**Applies to:**
- Windows 10 Enterpise edition, version 1803
- Windows 10 Professional edition, version 1803
**To change the download options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
2. Click **Enabled**.
![Group Policy editor Download options](images/appguard-gp-download.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Windows Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
**To change hardware acceleration options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
2. Click **Enabled**.
![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
3. Contact Microsoft for further information to fully enable this setting.
4. Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
5. Assess the visual experience and battery performance.

7
windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 05/08/2018
---
# Configure advanced features in Windows Defender ATP
@ -87,6 +87,11 @@ When you enable this feature, you'll be able to share Windows Defender ATP devic
>You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature.
## Preview features
Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.

29
windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 05/08/2018
---
# Use Automated investigations to investigate and remediate threats
@ -65,15 +65,24 @@ While an investigation is running, any other alert generated from the machine wi
If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
### How threats are remediated
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automaticlly remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats.
You can configure the following levels of automation:
Automation level | Description
:---|:---
Semi - require approval for any remediation | This is the default automation level.<br><br> An approval is needed for any remediation action.
Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.
Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.
Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.
Full - remediate threats automatically | All remediation actions will be performed automatically.
For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
### How an Automated investigation is completed
When the Automated investigation completes its analysis, and all pending actions are resolved, an investigation is considered complete. It's important to understand that an investigation is only considered complete if there are no pending actions on it.
## Manage Automated investigations
By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
@ -103,19 +112,15 @@ Status | Description
| No threats found | No malicious entities found during the investigation.
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Action required | Remediation actions require review and approval. |
| Pending | Remediation actions require review and approval. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped due to <reason>. |
| Terminated by user | A user stopped the investigation before it could complete. |
| Not applicable | Automated investigations do not apply to this alert type. |
| Terminated by user | A user stopped the investigation before it could complete.
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
| Automated investigation not applicable to alert type | Automated investigation does not apply to this alert type. |
| Automated investigation does not support OS | Machine is running an OS that is not supported by Automated investigation. |
| Automated investigation unavailable for preexisting alert | Automated investigation does not apply to alerts that were generated before it was deployed. |
| Automated investigation unavailable for suppressed alert | Automated investigation does not apply to suppressed alerts. |
**Detection source**</br>

2
windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
View File

@ -102,7 +102,7 @@ Take the following steps to enable conditional access:
### Step 1: Turn on the Microsoft Intune connection
1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Microsoft Intune connection**.
1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
2. Toggle the Microsoft Intune setting to **On**.
3. Click **Save preferences**.

20
windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
View File

@ -30,26 +30,29 @@ ms.date: 05/01/2018
You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
> [!NOTE]
> Only users with full access can configure email notifications.
> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
You can set the alert severity levels that trigger notifications. When you turn enable the email notifications feature, its set to high and medium alerts by default.
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule.
Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope.
Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups.
The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
## Set up email notifications for alerts
The email notifications feature is turned off by default. Turn it on to start receiving email notifications.
1. On the navigation pane, select **Settings** > **Alert notifications**.
2. Toggle the setting between **On** and **Off**.
3. Select the alert severity level that youd like your recipients to receive:
- **High** Select this level to send notifications for high-severity alerts.
- **Medium** Select this level to send notifications for medium-severity alerts.
3. Select the alert severity level that you<EFBFBD>d like your recipients to receive:
- **High** <EFBFBD> Select this level to send notifications for high-severity alerts.
- **Medium** <EFBFBD> Select this level to send notifications for medium-severity alerts.
- **Low** - Select this level to send notifications for low-severity alerts.
- **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of.
4. In **Email recipients to notify on new alerts**, type the email address then select the + sign.
5. Click **Save preferences** when youve completed adding all the recipients.
5. Click **Save preferences** when you<EFBFBD>ve completed adding all the recipients.
Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email.
@ -59,10 +62,9 @@ Here's an example email notification:
## Remove email recipients
1. Select the trash bin icon beside the email address youd like to remove.
1. Select the trash bin icon beside the email address you<EFBFBD>d like to remove.
2. Click **Save preferences**.
## Troubleshoot email notifications for alerts
This section lists various issues that you may encounter when using email notifications for alerts.

4
windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -36,7 +36,7 @@ ms.date: 04/24/2018
## Onboard machines using Group Policy
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
a. In the navigation pane, select **Settings** > **Onboarding**.
b. Select Windows 10 as the operating system.
@ -122,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
a. In the navigation pane, select **Settings** > **Offboarding**.
b. Select Windows 10 as the operating system.

4
windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -106,7 +106,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
a. In the navigation pane, select **Settings** > **Onboarding**.
b. Select Windows 10 as the operating system.
@ -189,7 +189,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
a. In the navigation pane, select **Settings** > **Offboarding**.
b. Select Windows 10 as the operating system.

4
windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
View File

@ -34,7 +34,7 @@ You'll need to take the following steps to onboard non-Windows machines:
### Turn on third-party integration
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. Make sure the third-party solution is listed.
1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed.
2. Select Mac and Linux as the operating system.
@ -59,7 +59,7 @@ To effectively offboard the machine from the service, you'll need to disable the
1. Follow the third-party documentation to opt-out on the third-party service side.
2. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
2. In the navigation pane, select **Settings** > **Onboarding**.
3. Turn off the third-party solution integration.

4
windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -49,7 +49,7 @@ You can use existing System Center Configuration Manager functionality to create
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
a. In the navigation pane, select **Settings** > **Onboarding**.
b. Select Windows 10 as the operating system.
@ -127,7 +127,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
a. In the navigation pane, select **Settings** > **Offboarding**.
b. Select Windows 10 as the operating system.

4
windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -36,7 +36,7 @@ You can also manually onboard individual machines to Windows Defender ATP. You m
## Onboard machines
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
a. In the navigation pane, select **Settings** > **Onboarding**.
b. Select Windows 10 as the operating system.
@ -94,7 +94,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
a. In the navigation pane, select **Settings** > **Offboarding**.
b. Select Windows 10 as the operating system.

2
windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
View File

@ -40,7 +40,7 @@ You can onboard VDI machines using a single entry or multiple entries for each m
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
a. In the navigation pane, select **Settings** > **Onboarding**.
b. Select Windows 10 as the operating system.

16
windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
ms.date: 05/03/2018
ms.date: 05/08/2018
---
# Onboard servers to the Windows Defender ATP service
@ -71,8 +71,8 @@ Once completed, you should see onboarded servers in the portal within an hour.
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
| Agent Resource | Ports |
|------------------------------------|-------------|
Agent Resource | Ports
:---|:---
| *.oms.opinsights.azure.com | 443 |
| *.blob.core.windows.net | 443 |
| *.azure-automation.net | 443 |
@ -81,6 +81,10 @@ Once completed, you should see onboarded servers in the portal within an hour.
| winatp-gw-eus.microsoft.com | 443 |
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
|winatp-gw-uks.microsoft.com | 443 |
|winatp-gw-ukw.microsoft.com | 443 |
| winatp-gw-aus.microsoft.com | 443|
| winatp-gw-aue.microsoft.com |443 |
## Onboard Windows Server, version 1803
Youll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
@ -111,7 +115,9 @@ Youll be able to onboard in the same method available for Windows 10 client m
If the result is The specified service does not exist as an installed service, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
## Offboard servers
You have two options to offboard servers from the service:
You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines.
For other server versions, you have two options to offboard servers from the service:
- Uninstall the MMA agent
- Remove the Windows Defender ATP workspace configuration
@ -139,7 +145,7 @@ To offboard the server, you can use either of the following methods:
#### Run a PowerShell command to remove the configuration
1. Get your Workspace ID:
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
a. In the navigation pane, select **Settings** > **Onboarding**.
b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID:

4
windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -139,6 +139,10 @@ Use the solution explorer to view alerts in Splunk.
5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
>[!TIP]
> To mininimize alert duplications, you can use the following query:
>```source="rest://windows atp alerts" | spath | dedup _raw | table *```
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
View File

@ -28,7 +28,7 @@ ms.date: 04/24/2018
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update the data retention settings.
1. In the navigation pane, select **Settings** > **General** > **Data rention**.
1. In the navigation pane, select **Settings** > **Data rention**.
2. Select the data retention duration from the drop-down list.

2
windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -29,7 +29,7 @@ ms.date: 04/24/2018
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
1. In the navigation pane, select **Settings** > **APIs** > **Threat intel**.
1. In the navigation pane, select **Settings** > **Threat intel**.
![Image of threat intel API menu](images/atp-threat-intel-api.png)

2
windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
View File

@ -30,7 +30,7 @@ Set the baselines for calculating the score of Windows Defender security control
>[!NOTE]
>Changes might take up to a few hours to reflect on the dashboard.
1. In the navigation pane, select **Settings** > **General** > **Secure Score**.
1. In the navigation pane, select **Settings** > **Secure Score**.
![Image of Secure Score controls from Preferences setup menu](images/atp-enable-security-analytics.png)

2
windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
View File

@ -29,7 +29,7 @@ ms.date: 04/24/2018
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
1. In the navigation pane, select **Settings** > **APIs** > **SIEM**.
1. In the navigation pane, select **Settings** > **SIEM**.
![Image of SIEM integration from Settings menu](images/atp-siem-integration.png)

56
windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 05/08/2018
---
# Create and manage machine groups in Windows Defender ATP
@ -33,61 +33,61 @@ In Windows Defender ATP, you can create machine groups and use them to:
- Configure different auto-remediation settings for different sets of machines
As part of the process of creating a machine group, you'll:
- Set the automated remediation level for that group
- Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
- Determine access to machine group
- Rank the machine group relative to other groups after it is created
- Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md).
- Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
- Select the Azure AD user group that should have access to the machine group.
- Rank the machine group relative to other groups after it is created.
>[!NOTE]
>All machine groups are accessible to all users if you dont assign any Azure AD groups to them.
>A machine group is accessible to all users if you dont assign any Azure AD groups to it.
## Add a machine group
1. In the navigation pane, select **Settings > Permissions > Machine groups**.
1. In the navigation pane, select **Settings** > **Machine groups**.
2. Click **Add machine group**.
3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group:
3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group.
- **Name**
- **Remediation level for automated investigations**
- **No remediation**
- **Require approval (all folders)**
- **Require approval (non-temp folders)**
- **Require approval (core folders)**
- **Fully automated**
- **Machine group name**
- **Automation level**
- **Semi - require approval for any remediation**
- **Semi - require approval for non-temp folders remediation**
- **Semi - require approval for core folders remediation**
- **Full - remediate threats automatically**
>[!NOTE]
> For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations-windows-defender-advanced-threat-protection.md#understand-the-automated-investigation-flow).
- **Description**
- **Members**
- **Matching rule** you can apply the rule based on machine name, domain, tag, or OS version.
>[!TIP]
>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
>[!TIP]
>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab.
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab.
5. Assign the user groups that can access the machine group you created.
>[!NOTE]
>You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
6. Click **Close**.
6. Click **Close**. The configuration changes are applied.
7. Apply the configuration settings.
## Understand matching and manage groups
You can promote the rank of a machine group so that it is given higher priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
## Manage machine groups
You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
>[!WARNING]
>Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule, it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group.
By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
>[!NOTE]
>Applying changes to machine group configuration may take up to several minutes.
> - Applying changes to machine group configuration may take up to several minutes.
## Related topic

2
windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -110,7 +110,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
### View the list of suppression rules
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**.
1. In the navigation pane, select **Settings** > **Alert suppression**.
2. The list of suppression rules shows all the rules that users in your organization have created.

6
windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
View File

@ -36,7 +36,7 @@ Entities added to the blocked list are considered malicious and will be remediat
You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates.
## Create an allowed or blocked list
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
2. Select the type of entity you'd like to create an exclusion for. You can choose any of the following entities:
- File hash
@ -52,14 +52,14 @@ You can define the conditions for when entities are identified as malicious or s
5. Click **Update rule**.
## Edit a list
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
2. Select the type of entity you'd like to edit the list from.
3. Update the details of the rule and click **Update rule**.
## Delete a list
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
2. Select the type of entity you'd like to delete the list from.

2
windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
View File

@ -35,7 +35,7 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t
## Add file extension names and attachment extension names.
1. In the navigation pane, select **Settings** > **Rules** > **Automation file uploads**.
1. In the navigation pane, select **Settings** > **Automation file uploads**.
2. Toggle the content analysis setting between **On** and **Off**.

6
windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
View File

@ -47,7 +47,7 @@ You can specify the file names that you want to be excluded in a specific direct
## Add an automation folder exclusion
1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**.
1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
2. Click **New folder exclusion**.
@ -62,14 +62,14 @@ You can specify the file names that you want to be excluded in a specific direct
4. Click **Save**.
## Edit an automation folder exclusion
1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**.
1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
2. Click **Edit** on the folder exclusion.
3. Update the details of the rule and click **Save**.
## Remove an automation folder exclusion
1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**.
1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
2. Click **Remove exclusion**.

4
windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md
View File

@ -32,7 +32,7 @@ There might be scenarios where you need to suppress alerts from appearing in the
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
## Turn a suppression rule on or off
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Select a rule by clicking on the check-box beside the rule name.
@ -40,7 +40,7 @@ You can view a list of all the suppression rules and manage them in one place. Y
## View details of a suppression rule
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.

4
windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -40,7 +40,7 @@ You can access these options from the Windows Defender ATP portal. Both the Powe
## Create a Windows Defender ATP dashboard on Power BI service
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
1. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
1. In the navigation pane, select **Settings** > **Power BI reports**.
2. Click **Create dashboard**.
@ -127,7 +127,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
### Before you begin
1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
2. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
2. In the navigation pane, select **Settings** > **Power BI reports**.
3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.

2
windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
View File

@ -28,7 +28,7 @@ ms.date: 04/24/2018
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select **Settings** > **Preview experience**.
1. In the navigation pane, select **Settings** > **Advanced features**.
![Image of settings and preview experience](images/atp-preview-features.png)

2
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -36,7 +36,7 @@ You'll have access to upcoming features which you can provide feedback on to hel
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Preview features**.
1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**.
2. Toggle the setting between **On** and **Off** and select **Save preferences**.

11
windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 05/08/2018
---
# Manage portal access using role-based access control
@ -76,17 +76,18 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a
2. Click **Add role**.
3. Enter the role name, description, and active permissions youd like to assign to the role.
3. Enter the role name, description, and permissions youd like to assign to the role.
- **Role name**
- **Description**
- **Active permissions**
- **Permissions**
- **View data** - Users can view information in the portal.
- **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
4. Click **Next** to assign the role to an Azure AD group.
@ -102,13 +103,13 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a
2. Click **Edit**.
3. Modify the details or the groups that the role is a part of.
3. Modify the details or the groups that are assigned to the role.
4. Click **Save and close**.
## Delete roles
1. Select the role row you'd like to delete.
1. Select the role you'd like to delete.
2. Click the drop-down button and select **Delete role**.