mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 12:53:38 +00:00
Merge branch 'rs2' of https://github.com/Microsoft/win-cpub-itpro-docs into rs2
This commit is contained in:
Iaan D'Souza-Wiltshire
@ -21,8 +21,8 @@ Configuration service providers (CSPs) expose device configuration settings in W
|
||||
|
||||
The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
|
||||
|
||||
**Note**
|
||||
The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
|
||||
>[!NOTE]
|
||||
>The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
|
||||
|
||||
[See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
|
||||
|
||||
@ -60,15 +60,15 @@ In addition, you may have unmanaged devices, or a large number of devices that y
|
||||
|
||||
In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
|
||||
|
||||
### CSPs in Windows Imaging and Configuration Designer (ICD)
|
||||
### CSPs in Windows Configuration Designer
|
||||
|
||||
You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs.
|
||||
You can use Windows Configuration Designer to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs.
|
||||
|
||||
Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
|
||||
Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
|
||||
|
||||
|
||||
|
||||
[Configure devices without MDM](../manage/configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package.
|
||||
[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
|
||||
|
||||
### CSPs in MDM
|
||||
|
||||
@ -78,7 +78,7 @@ When a CSP is available but is not explicitly included in your MDM solution, you
|
||||
|
||||
### CSPs in Lockdown XML
|
||||
|
||||
Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
|
||||
Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](mobile-lockdown-designer.md) to configure your Lockdown XML.
|
||||
|
||||
## <a href="" id="bkmk-csp-doc"></a>How do you use the CSP documentation?
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ author: brianlic-msft
|
||||
---
|
||||
|
||||
# Windows 10 and Windows 10 Mobile
|
||||
|
||||
|
||||
This library provides the core content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
|
||||
|
||||
<center><iframe src="https://channel9.msdn.com/Events/Ignite/Australia-2017/WIN212/player" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
|
||||
@ -50,9 +50,9 @@ This library provides the core content that IT pros need to evaluate, plan, depl
|
||||
</a>
|
||||
<br/>Keep Secure
|
||||
</td>
|
||||
<td style="width:25%; border:0;">
|
||||
<td style="width:25%; border:0;">
|
||||
<br/>
|
||||
<a href="https://technet.microsoft.com/en-us/itpro/windows/configure/index">
|
||||
<a href="https://technet.microsoft.com/en-us/itpro/windows/configure/index">
|
||||
<img src="images/W10-configure.png" alt="Configure Windows 10 in your enterprise" title="Configure Windows 10" />
|
||||
</a>
|
||||
<br/>Configure
|
||||
@ -76,23 +76,22 @@ This library provides the core content that IT pros need to evaluate, plan, depl
|
||||
|
||||
<br/>
|
||||
|
||||
# Get to know Windows as a Service (WaaS)
|
||||
<table border="0" width="100%" align='center'>
|
||||
# Get to know Windows as a Service (WaaS)
|
||||
<table border="0" width="100%" align='center'>
|
||||
<tr>
|
||||
<td valign=top width=60%>The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
|
||||
|
||||
These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
|
||||
|
||||
<td valign=top width=60%>The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
|
||||
|
||||
These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
|
||||
|
||||
|
||||
* [Read more about Windows as a Service]()
|
||||
* [Download the WaaS infographic]()
|
||||
|
||||
</td>
|
||||
<td width=40%><center><img style='border:thin silver solid' src="images/w10-WaaS-poster.png" alt="Get to know Windows as a Service (WaaS) " title="Get to know Windows as a Service (WaaS)" /></center></td>
|
||||
<td width=40%><center><img style='border:thin silver solid' src="images/w10-WaaS-poster.png" alt="Get to know Windows as a Service (WaaS) " title="Get to know Windows as a Service (WaaS)" /></center></td>
|
||||
</tr>
|
||||
<table>
|
||||
|
||||
|
||||
## Related topics
|
||||
[Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
|
||||
|
||||
|
||||
@ -578,6 +578,7 @@
|
||||
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
|
||||
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
|
||||
###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
|
||||
###### [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)
|
||||
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
|
||||
###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
|
||||
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
|
||||
|
||||
@ -65,7 +65,7 @@ Reviewing the various alerts and their severity can help you decide on the appro
|
||||
- Windows Defender ATP
|
||||
|
||||
>[!NOTE]
|
||||
>The Windows Defender AV filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
|
||||
>The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
|
||||
|
||||
**Time period**</br>
|
||||
- 1 day
|
||||
|
||||
@ -21,7 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
|
||||
|
||||
|
||||
@ -21,8 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
## Pull alerts using supported security information and events management (SIEM) tools
|
||||
Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
|
||||
|
||||
|
||||
@ -126,9 +126,9 @@ The following tables describe baseline protections, plus protections for improve
|
||||
|
||||
<br>
|
||||
|
||||
#### 2017 Additional security qualifications starting with Windows 10, version 1703
|
||||
#### 2017 Additional security qualifications starting in 2017
|
||||
|
||||
The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
|
||||
The following table lists qualifications for 2017, which are in addition to all preceding qualifications.
|
||||
|
||||
| Protection for Improved Security | Description |
|
||||
|---------------------------------------------|----------------------------------------------------|
|
||||
|
||||
@ -21,8 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
|
||||
|
||||
## Before you begin
|
||||
|
||||
@ -21,8 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
The **Dashboard** displays a snapshot of:
|
||||
|
||||
- The latest active alerts on your network
|
||||
@ -65,7 +63,7 @@ The tile shows you a list of user accounts with the most active alerts. The tota
|
||||
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Machines with active malware detections
|
||||
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
|
||||
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender Antivirus.
|
||||
|
||||
Active malware is defined as threats that were actively executing at the time of detection.
|
||||
|
||||
@ -86,7 +84,7 @@ Threats are considered "active" if there is a very high probability that the mal
|
||||
Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
|
||||
|
||||
> [!NOTE]
|
||||
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
|
||||
## Sensor health
|
||||
The **Sensor health** tile provides information on the individual endpoint’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
|
||||
|
||||
@ -22,12 +22,12 @@ localizationpriority: high
|
||||
- Windows Defender
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning.
|
||||
The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
|
||||
|
||||
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode.
|
||||
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
|
||||
|
||||
Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
|
||||
Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
|
||||
|
||||
The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
|
||||
The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
|
||||
|
||||
For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
|
||||
For more information, see the **Compatibility** section in the [Windows Defender Antivirus in Windows 10 topic](windows-defender-in-windows-10.md).
|
||||
|
||||
@ -21,8 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
|
||||
|
||||
1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
|
||||
|
||||
@ -192,8 +192,8 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
|
||||
</tr>
|
||||
<tr>
|
||||
<td>27</td>
|
||||
<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```.</td>
|
||||
<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
|
||||
<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.</td>
|
||||
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
|
||||
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
|
||||
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
|
||||
Ensure real-time antimalware protection is running properly.</td>
|
||||
@ -208,8 +208,8 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
|
||||
</tr>
|
||||
<tr>
|
||||
<td>30</td>
|
||||
<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```.</td>
|
||||
<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
|
||||
<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.</td>
|
||||
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
|
||||
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
|
||||
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
|
||||
Ensure real-time antimalware protection is running properly.</td>
|
||||
|
||||
@ -21,7 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.
|
||||
|
||||
|
||||
@ -21,8 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
|
||||
|
||||
## Inactive machines
|
||||
|
||||
@ -0,0 +1,86 @@
|
||||
---
|
||||
title: Interactive logon Don't display username at sign-in (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting.
|
||||
ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Interactive logon: Don't display username at sign-in
|
||||
|
||||
**Applies to**
|
||||
- Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8, Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
A new policy setting has been introduced in Windows 10 starting with Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. This setting only affects the **Other user** tile.
|
||||
|
||||
If the policy is enabled and a user signs in as **Other user**, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name is not shown until the Start screen displays.
|
||||
|
||||
If the policy is disabled and a user signs in as **Other user**, the “Other user” text is replaced by the user’s first and last name during sign-in.
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
- Disabled
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
|
||||
Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
|
||||
### Default values
|
||||
|
||||
| Server type or Group Policy object (GPO) | Default value|
|
||||
| - | - |
|
||||
| Default domain policy| Not defined|
|
||||
| Default domain controller policy| Not defined|
|
||||
| Stand-alone server default settings | Not defined|
|
||||
| Domain controller effective default settings | Not defined|
|
||||
| Member server effective default settings | Not defined|
|
||||
| Effective GPO default settings on client computers | Not defined|
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
### Policy conflict considerations
|
||||
|
||||
None.
|
||||
|
||||
### Group Policy
|
||||
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Enable the **Interactive logon: Don't display user name at sign-in** setting.
|
||||
|
||||
### Potential impact
|
||||
|
||||
Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Security Options](security-options.md)
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Investigate machines in the Windows Defender ATP Machines view
|
||||
description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view.
|
||||
keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity
|
||||
keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -38,7 +38,7 @@ When you open the portal, you’ll see the main areas of the application:
|
||||
- (3) Main portal
|
||||
|
||||
> [!NOTE]
|
||||
> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
> Malware related detections will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
|
||||
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
|
||||
|
||||
@ -48,10 +48,10 @@ Area | Description
|
||||
(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Service health**, **Preferences setup**, and **Enpoint Management**.
|
||||
**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
|
||||
**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
|
||||
**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
|
||||
**Machines view** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
|
||||
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues.
|
||||
**Preferences setup**| Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
|
||||
**Endpoint Management**| Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
|
||||
**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
|
||||
**Endpoint Management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
|
||||
(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
|
||||
|
||||
## Windows Defender ATP icons
|
||||
|
||||
@ -21,8 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
This article provides PowerShell code examples for using the custom threat intelligence API.
|
||||
|
||||
These code examples demonstrate the following tasks:
|
||||
|
||||
@ -21,7 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
|
||||
|
||||
|
||||
@ -21,7 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
## Before you begin
|
||||
You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
|
||||
|
||||
@ -21,7 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre–released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
|
||||
|
||||
@ -83,11 +82,12 @@ You can roll back and remove a file from quarantine if you’ve determined that
|
||||
b. Right–click **Command prompt** and select **Run as administrator**.
|
||||
|
||||
2. Enter the following command, and press **Enter**:
|
||||
```
|
||||
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
|
||||
```
|
||||
>[!NOTE]
|
||||
>Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
|
||||
```
|
||||
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
|
||||
|
||||
## Block files in your network
|
||||
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
|
||||
|
||||
@ -21,7 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
|
||||
|
||||
|
||||
@ -21,7 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
|
||||
|
||||
|
||||
@ -21,8 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
|
||||
|
||||
With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
|
||||
|
||||
@ -21,7 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
You might need to troubleshoot issues while using the custom threat intelligence feature.
|
||||
|
||||
|
||||
@ -21,8 +21,6 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
|
||||
|
||||
You can use the code examples to guide you in creating calls to the custom threat intelligence API.
|
||||
|
||||
@ -49,6 +49,8 @@ For a detailed description of these regsitry keys, see [Registry keys used to ma
|
||||
|
||||
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
|
||||
|
||||
Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
|
||||
|
||||
Administrators can use multiple ways to set active hours for managed devices:
|
||||
|
||||
- You can use Group Policy, as described in the procedure that follows.
|
||||
@ -61,9 +63,11 @@ To configure active hours using Group Policy, go to **Computer Configuration\Adm
|
||||
|
||||
|
||||
|
||||
To configure max active hours range, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. This is only available from Windows 10, version 1703.
|
||||
|
||||
### Configuring active hours with MDM
|
||||
|
||||
MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
|
||||
MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
|
||||
|
||||
### Configuring active hours through Registry
|
||||
|
||||
|
||||
@ -146,13 +146,16 @@ For more information, see [Device Guard Requirements](../keep-secure/requirement
|
||||
|
||||
The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
|
||||
|
||||
A new security policy setting
|
||||
[**Interactive logon: Don't display username at sign-in**](../keep-secure/interactive-logon-dont-display-username-at-sign-in.md) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
|
||||
|
||||
## Update
|
||||
|
||||
### Windows Update for Business
|
||||
|
||||
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates).
|
||||
|
||||
You are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
|
||||
Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
|
||||
|
||||
### Optimize update delivery
|
||||
|
||||
@ -173,7 +176,7 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1
|
||||
|
||||
### New MDM capabilities
|
||||
|
||||
Windows 10, version 1703 adds several new configuration service providers (CSPs) that provide new capabilities for managing Windows 10 devices using MDM. Some of the new CSPs are:
|
||||
Windows 10, version 1703 adds several new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM. Some of the new CSPs are:
|
||||
|
||||
- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
|
||||
|
||||
@ -185,6 +188,12 @@ Windows 10, version 1703 adds several new configuration service providers (CSPs)
|
||||
|
||||
[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
|
||||
|
||||
### Mobile application management support for Windows 10
|
||||
|
||||
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
|
||||
|
||||
For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
|
||||
|
||||
|
||||
|
||||
### Application Virtualization for Windows (App-V)
|
||||
@ -219,6 +228,3 @@ Update Compliance is a solution built using OMS Logs and Analytics that provides
|
||||
|
||||
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
|
||||
|
||||
### Enhanced Mobile Device Management (MDM) support
|
||||
|
||||
Mobile device management (MDM) has new configuration service providers (CSPs) that can be called from code to manage Windows 10 devices. For more info, see [What's new in MDM in Windows 10, version 1703](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10).
|
||||
|
||||
Reference in New Issue
Block a user